IPhone Hacking

From ivc wiki
Jump to navigationJump to search

The iPhone was released in the USA 29th June 2007, and after 2 months it was finally possible to hack the iPhone to allow it run true native third-party applications, aka homebrew applications.

Firmware v1.0.2

Downgrade

If the phone came with v1.1.1, it's (as of writing) necessary to downgrade to v1.0.2.

  1. Download the iPhone v1.0.2 firmware from Apple.
  2. Download and install iTunes v7.3.2. Select a new folder if iTunes is already installed.
  3. On the iPhone, press and hold both the SLEEP and HOME buttons for 8-10 seconds.
  4. The screen should go completely black, release the SLEEP button and continue to hold the HOME button.
  5. When the iPhone says 'Connect to iTunes' release the button and connect the USB-cable.
  6. Open iTunes and click 'Ok' when it prompts that a restore is needed. Hold SHIFT (on Windows) and select the v1.0.2 firmware file.
  7. The restore should complete with a 1013 error. A yellow triangle on the iPhone indicates that v1.0.2 has been installed.

Jailbreak

Jailbreaking means to escape the 'Media'-partition of the iPhone where only some settings and all the media files is stored. Technically the jailbreak is essentially a 'chroot /var/root/Media'.

  1. There are two ways to jailbreak on Windows, Apptapp installer or iBrickr. Download the recommended Apptapp installer.
  2. With the iPhone still in the yellow-triangle-restore-mode, run Apptapp and let it process through all the steps. It will jailbreak and install Installer.app.
  3. Once jailbreaked, the iPhone will return to the 'Slide for emergency' and still needs activation to load the normal Springboard.

Activate

A normal iPhone can only work and be activated on the AT&T operator. Faking the activation tricks the iPhone into 'Activated'-state and all the functions except phone is available.

  1. Download the iAsign package for Mac and then the Windows (Win32) update. Put iAsign.exe in the 'bin'-folder.
  2. Upload the iPhoneActivation.pem file to the iPhone and put it in /Library/System/Lockdown/ using the upload function iBrickr.
  3. Open a command-prompt (Start -> Run -> cmd) and change directory (cd) to the iAsign folder.
  4. Run 'iAsign --automatic iPhoneActivation_private.pem' to generate a new activated certificate on the iPhone.
  5. A message should show stating the iPhone is activated. The 'Slide to emergency'-message should have changed to 'Slide to unlock'.
  6. You now see the Springboard and the 'Installer' application.
  7. To make it easy to upload files and execute remote commands on the iPhone, open Installer, install 'BSD Subsystem' and 'OpenSSH'. Use WinSCP to connect with username 'root' and password 'dottie' (first connect takes time).

Youtube

Youtube requires some certificates to work properly.

  1. Download the 3 required Youtube files.
  2. Upload the data_ark.plist, device_private_key.pem and device_public_key.pem files to /var/root/Library/Lockdown/.
  3. Open the data_ark.plist and copy the certificate block ending om '...FLS0tLS0K'.
  4. In the same directory, go into 'pair_records', edit the file (double click), paste the certificate into the DeviceCertificate section.
  5. Go into the 'activation_records' directory and to the same for all the files.
  6. Hold the SLEEP button for 5 seconds and reboot the iPhone.

Unlock

To be able to use any SIM-card the iPhone's baseband firmware has to be modified.

  1. Download AnySIM v1.1 and extract the AnySIM.app folder.
  2. Upload the AnySIM.app folder to the /Application/ directory on the iPhone
  3. Change the permissions on the 'anysim' binary to 0755 by selecting 'Properties' in WinSCP and checking all the checkboxes for 'X'.
  4. Shutdown the iPhone, insert the new SIM-card and power-on. AnySIM should appear in the Springboard.
  5. Open AnySIM, disable the Auto-lock as instructed and follow the two steps to begin the unlocking. Normally takes 5-10 minutes to complete the unlocking.
  6. If you get a 'SIM Locked'-message after the process is successful, press 'Unlock' and enter the PIN-code for the SIM. You can disable the prompt in Settings -> Phone -> SIM Pin.

Localization

Keyboard

The iPhone does not come with any other dictionary or keyboard layouts then the default American package.

New recommended method:

  1. In Safari go to http://russianiphone.com/beta/en/ and http://iph0ne.moo.no/ and install the sources when prompted.
  2. Go into Installer and install Mobile Enhancer (which is a plugin like extension) and Norwegian Keyboard (plugin for Mobile Enhancer).
  3. Reboot phone.

Old method:

To add Norwegian locale support, a few files has to be patched. The character '[', ']' and '{' will be replaced with 'æ', 'ø' and 'å' respectively.

  1. Download the Norwegian dictionary from the iPhoneShop download page.
  2. Download the patched keyboard .artwork file with Norwegian character keyboard images.
  3. Download the patched UIKit binary to output the actual Norwegian character code when the key is touched.
  4. Extract all the files and put them into the /System/Library/Frameworks/UIKit.framework/ directory on the iPhone. Backup the originals. Change the permissions for 'UIKit' to 0755.
  5. Reboot the iPhone and test the new keyboard and dictionary.

Phone Number Format

The default phone number format is the classic American standard with the parentheses and spaces. The format string is dictated by a simple settings file.

Replace US format with NO format:

  1. On the iPhone, go to /System/Library/Frameworks/AddressBookUI.framework/ and download the ABPPhoneFormats.plist file.
  2. Browse to this binary-to-xml website to convert the plist to a XML-file.
  3. Open the new file in a plain text editor and find the 'US'-key.
  4. Change the format string in the 'US'-key to the new format. For Norway the string will be ######## and +47 ########.
  5. Save the file and upload the file to the same directory. No need to convert the plist back to binary.
  6. Reboot the iPhone and check the Phone application to see the new string.

International Caller ID

The iPhone supports 7 digits to handle local and international phone number formats. It cuts of from the end and tries to match the phone number with the contacts. The length differs from country to country.

  1. Download the patched AppSupport binary that match the length of the phone number, AppSupport.
  2. Upload AppSupport to /System/Library/Frameworks/Appsupport.framework/
  3. Reboot the phone.

Voicemail Button

The voicemail button in the Phone application will not be functional on a non-AT&T network. It's possible to re-program the button to dial the correct voicemail phone number.

  1. Open the Phone application and select the Keypad.
  2. Enter the code *5005*86*...# where the three dots ('...') indicates the voicemail phone number for the operator.
  3. For Telenor in Norway, this sequence is used *5005*86*+4791509001#.
  4. Try to hit the voicemail button and it will connect to the voicemail service.

Firmware v1.1.1

There are many interesting fixes and a few new features in the iPhone v1.1.1 firmware update. But applying the update will re-jail and flash the modem baseband. A regular update does not remove settings and all the media files are preserved, third-party applications is wiped. Some applications may need updates to function on v1.1.1.

Updating

  1. Open iTunes and keep it open during the next steps. This is to trick the re-jailing.
  2. Remotely SSH into the iPhone (using putty or terminal) and change directory (cd) to /var/root/
  3. Rename the 'Media'-directory to 'Media-old' using 'mv Media Media-old' and issue this command to create a symbol link, 'ln -s / Media '.
  4. Another prerequisite is a copy of 'lockdownd' from v1.0.2, 'cp /usr/libexec/lockdownd /var/root/lockdown.1.0.2' (/var/root/ is not erased). It's used to generate a valid activation certificate on v1.1.1.
  5. Now, in iTunes click the 'Update'-button to start the update process. When it's finished the phone should show a activation screen and the slider should say 'Slide to emergency'. Everything is OK.

Enabling read/write

  1. Download the JailbreakWindows_v1.1.1.zip package and extract it.
  2. Open a command-prompt and change directory to the JailbreakWindows directory and execute the iphuc-jailbreak.exe application.
  3. To make sure the iPhone is jailbroken, issue 'ls' and look for 'Applications'. It it shows up, everything is good.
  4. To enable read/write (rw), the /etc/fstab file has to be replaced. A special putjailbreak-command overwrites the correct sector in the flash to update the file. In ipuch-jailbreak.exe, issue 'putjailbreak rdisk0s1 /dev/rdisk0s1'.
  5. Reboot the iPhone to enable read/write filesystem.

Install SSH

This step assumes a working Wifi configuration has been set up before the v1.1.1 upgrade. Else you need a open Wifi network and/or do the activation and contacts hack to enable a Wifi network connection to be able to connect via SSH.

  1. In the JailbreakWindows folder, delete the com.apple.update.plist.orig, com.apple.update.plist.orig, update and update.org files. Else the renaming of the original files from the iPhone will fail.
  2. Open a commd-prompt and execut the sshify-windows.bat batch file. Follow the simple instructions.
  3. When phase 4 is finished, the last 'fileref' should return 0. That means a file failed to be copied.
  4. Execute iphoneinterface.exe and issue this command to upload the last com.apple.update.plist, 'putfile /System/Library/LaunchDaemons/com.apple.update.plist'.
  5. Reboot the iPhone once more to enable the dropbear SSH server.
  6. Connect to the SSH server (putty or terminal) and use the username root and the new password alpine. The dropbear server does not support SFTP, only SCP.

Install Installer.app

  1. Follow the same procedure when installing SSH above.
  2. Open a command-prompt and execute the installapps.bat batch script.
  3. Installer.app can be executed via SSH before activation if wanted by doing the activation and contacts hack.

Activating

  1. Open a command-prompt and change directory to the JailbreakWindows directory.
  2. Execut iphoneinterface.exe and issue this command to install the public certificate to make the activation work, ' putfile /System/Library/Lockdown/iPhoneActivation.pem'
  3. SSH remotely and make a copy of lockdownd for v1.1.1, 'cp /usr/libexec/lockdownd /var/root/lockdownd.1.1.1'.
  4. Install the 'cp' binary, iphoneinterface.exe and 'putfile /bin/cp'. Fix the permissions 'chmod +x /bin/cp'.
  5. Copy the old lockdownd from v1.0.2 over the current lockdownd, 'cp /var/root/lockdown.1.0.2 /usr/libexec/lockdownd'.
  6. Restart the lockdownd daemon, 'ps xa', find the PID, 'kill 21'. It should automatically restart.
  7. If 'ps' is not precent, install the BSD Subsystem pack with the Installer.app and contact hack above.
  8. Do the same for the afcd daemon, 'ps xa', 'kill 43'.
  9. Note that iphoneinterface.exe will fail to work if the iPhone is rebooted with lockdownd from v1.0.2, afc requires v1.1.1. Copy over v1.1.1 before rebooting.
  10. Download the iAsign package for Mac and then the Windows (Win32) update. Put iAsign.exe in the 'bin'-folder.
  11. Open a command-prompt and change directory to the iAsign folder.
  12. Run 'iAsign --automatic iPhoneActivation_private.pem' to generate a new activated certificate on the iPhone. A message should show stating the iPhone is activated.
  13. Restore the lockdownd from v1.1.1, 'cp /var/root/lockdown.1.1.1 /usr/libexec/lockdownd'.
  14. Kill lockdownd once more and it should, 'ps xa', and 'kill <pid>'.
  15. The iPhone screen should now have a 'Slide to unlock'-slide and the phone is successfully activated.

Patch Springboard

The new Springboard has to be patched to behave as before.

  1. Make springpatch executable, 'chmot 755 /usr/bin/springpatch'.
  2. Execute the patch, '/usr/bin/springpatch'.

Fix Installer.app Settings

If Installer.app was installed before the update, all the preferences files are invalid as the applications are wiped.

  1. Remove the preferences for Installer.app, 'rm -r /private/var/root/Library/Installer'.
  2. Make the new Installer.app executable, 'chmod 755 /Applications/Installer.app/Installer'.
  3. Reboot to load the changes.

Restoring Media Partition

  1. Remove symbol link, 'rm Media'.
  2. Move old Media library back, 'mv Media-old Media'.

Install BSD Tools

Installer.app (recommended):

  1. Install the BSD Subsystem via the Installer.app:

Natetrue:

  1. Download the Base and Extra tarballs natetrue.com.
  2. Transfer the files over to root (/) on the iPhone via SCP, either WinSCP or scp works.
  3. Remotely SSH into the iPhone and issue the extract command on both tarballs, 'tar zxvf *.tar.gz'.
  4. Move the files into the system using rsync, 'rsync -av BSD_Base /' and 'rsync -av BSD_Extra /'
  5. The extraction will overwrite original iPhone files with newer versions.

Fix SSH

The dropbear SSH server does not have SFTP and is incompatible with the Services applications. OpenSSH is recommended.

  1. SCP into the iPhone
  2. Remove the following files
/etc/dropbear/dropbear_rsa_host_key
/etc/dropbear/dropbear_dss_host_key
/etc/dropbear (folder)
/etc/hackinit.sh
/etc/init.d/dropbear.sh
/etc/init.d (folder)
/usr/bin/dropbear
  1. Install Community Sources and OpenSSH client and server.
  2. Reboot the iPhone to enable the new SSH server.

Add Contacts Icon

Add a contacts icon on the home screen.

  1. Download /Systems/Library/CoreServices/Springboard.app/M68AP5.plist.
  2. Add this string before the 'com.apple.MobileStore' and upload the file to the iPhone.
<dict>
	<key>displayIdentifier</key>
	<string>com.apple.MobileAddressBook</string>
</dict>

Fix My Number Display

In iTunes and on top of the contacts list on the iPhone, your phone number should normally show. But if the SIM card is not programmed to include the acutal phone number it will not be shown.

  1. SSH remotely into the iPhone
  2. Stop the commcenter, 'launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist'
  3. Start the modem configurator, 'minicom -s'
  4. Use the arrow keys to select 'Serial port setup'
  5. Press 'A' for Serial Device, delete 'modem' and type 'tty.baseband'. The full string should be '/dev/tty.baseband'.
  6. Press enter twice to save the settings. Select 'Exit' and the initialize the modem.
  7. Type 'AT' to a 'OK' confirmation. Type 'AT+CPBS="ON"' to enable the 'My Number' feature.
  8. Then type 'AT+CPBW=1,"xxxxxxxx",,"N Telenor"' (two commas) to program your phone number and carrier.
  9. Verify by issuing 'AT+CPBR=1' and 'AT+CNUM'.
  10. Exit minicom by pressing CTRL+A and then Q.
  11. Load commcenter again, 'launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist'
  12. Reboot the iPhone and look for the number in the contacts list and iTunes.

Low Space Fix

The system partition is only 300 MB and is quickly filled when installing third-party applications. The media partition on the other hand holds the rest of the free flash storage memory.

  1. SSH into the iPhone. Make a complete backup of the iPhone beforehand via SFTP.
  2. Edit the fstab to allow execution of applications on the media partition, 'pico /etc/fstab' and remove ',noexec'.
  3. Change directory to root, 'cd /'.
  4. Copy the Applications directory over to the media partition, 'cp -Rv Applications/ private/var/root/'.
  5. Delete the entire Applications directory, 'rm -rv /Applications'.
  6. Create a new symbol-link from the media partition back to the root directory, 'ln -s private/var/root/Applications .'
  7. List the directory to make sure Applications points to private/var/root/Applications.
  8. Reboot the iPhone and install bigillion more applcations.

iPhuc AFC Fix

AFC is the protocol iTunes uses to transfer files to the iPhone. To make iPhuc/iPhoneBrowser work, a second AFC services is needed for root filesystem access.

  1. Backup /System/Library/Lockdown/Services.plist and edit Services.plist
  2. Add this section after the com.apple.afc entry:
<key>com.apple.afc2</key>
<dict>
	<key>Label</key>
	<string>com.apple.afc2</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/libexec/afcd</string>
		<string>--lockdown</string>
		<string>-d</string>
		<string>/</string>
	</array>
</dict>
  1. Open a command-prompt and enter iPhuc (iphuc.exe/iphuc_jailbreak.exe/iPhuc).
  2. Enable the afc2 service, 'setafc com.apple.afc2'.

Notes

The new v1.1.1 update fixes a lot of localization problems and seems to gear up for the official european release as it includes german, frence and uk dictionaries stock in the update.

To get special characters, like æøå in Norwegian, press and hold the key to get a pop-up with a array of different variations of that character.

The iPhone was still unlocked after the v1.0.2 to v1.1.1 update, the phone came with baseband v04.01.13_G and was unlocked with AnySIM v1.1. It did not require to be unlocked again after the update, showing that the AnySIM team have resolved the bricking issues.

To fix the localization for countries other than those mentioned, only two files needs to updated.

  1. Install the appropriate AppSupport from the Dev Wiki. This fixes the lenght problem of the phone number matching.
  2. Download /System/Library/CoreServices/Springboard.app/M68AP.plist and change the International key to true. Convert it first with the binary-to-xml website. This enables a flew of options in the Settings -> General panel. Including Language, Keyboards and Region format (.GlobalPreferences.plist). I set the Language to English, Keyboard to US and Norwegian, and region formats to Norway. When typing on the keyboard, there is now a new button to switch between US and Norwegian keyboard.

Fix Stuck Recovery Mode

  1. Open command-prompt and execute iphoneinterface.exe from the JailbreakWindows_v1.1.1 package
  2. Enter the commands: cmd setenv auto-boot true, cmd saveenv, cmd fsboot
  3. Typ exit to quit

Contacts Hack

If the phone is not activated and you want to go to jailbreakme.com. Wifi has to be configured first by doing a workaround to get the the system preferences.

  1. At the callpad, enter *#307# and Call.
  2. Answer the call and press Hold.
  3. If Hold is not available, delete the *#307# and enter 0 and press Call.
  4. Now answer the call and press Hold.
  5. Decline the next call and the Recent calls screen should appear.
  6. Add a new contacts with the url 'prefs://1F' and 'http://jailbreakme.com'.
  7. To the the first URL to configure the Wifi and the second to jailbreak the phone.

Easy Jailbreak for v1.1.1

A TIFF exploit is used to jailbreak v1.1.1. Recently a easy to use webbased jailbreaking method was released, jailbreakme.com. The website will utilize the TIFF exploit to:

  1. Jailbreakes the iPhone using TIFF exploit
  2. Patches Springboard
  3. Activates the phone
  4. Installs Installer.app
  5. Fixes Youtube
  6. Patches the TIFF vulnerability
  7. Enables afc2 protocol

Firmware v1.1.2

The new iPhone v1.1.2 firmware patches the TIFF exploit and requires some extra work to update. Uploading files to jailbreak requires a new standalone application.

  1. If you acctidently updated to v1.1.2, downgrade to v1.1.1 by enabling restore mode, hold the Power and Home button for 5-10 seconds. The screen will be black on v1.1.2.
  2. If iTunes reports an error 1, try to use iBrickr 0.91 or higher to get into the correct restore mode.
  3. Connect to computer and when asked by iTunes that it found a iPhone in restore mode click Ok.
  4. Download 1.0.2 or v1.1.1 from Apple and Shift/command-Click the Restore button and select the downloaded firmware.
  5. After it reboots into yellow triangle, open iPhuc and enter these commands: cmd setenv auto-boot true, cmd saveenv, cmd fsboot, or use iPhuc to boot the iPhone.
  6. Now while in v1.0.2, jailbreak it by using iBrickr or AppTappInstaller. Activate using iBrick to upload the iPhoneActivation.pem to /Library/System/Lockdown/ and iAsign --automatic iPhoneActivation_private.pem to activate as described above.
  7. Install Community Sources and OpenSSH (to transfer AnySIM if not installed via AppInstaller).
  8. Unlock the new baseband version using AnySIM. Download AnySIM 1.2.1u and upload to /Applications/AnySIM.app (important it's anySIM.app). Make it executeable, chmod +x anySIM.
  9. Install OkToPrep to create a special file in the Media partition (to interface with the 1.1.2 firmware and create a dump and re-write the firmware later).
  10. Then update (not restore) to v1.1.2 in iTunes using the Update button.
  11. Download and extract the jailbreak v1.1.2 package and execute the windows.bat to start the GUI java process. It will jailbreak, copy over patched lockdownd and activate, fix Youtube, and install Installer.app
  12. After it has rebooted two times, Install BSD Subsystem and OpenSSH,
  13. For internationalization a few files have to be patched, Appsupport to fix phone number matching, UIKit to add return/new line in SMS, and Preferences to get all countries in International settings. Norwegian language pack.

Note: It's not possible to activate v1.1.1 with the new v1.1.1 baseband version upgrade, a new lockdownd for v1.1.1 is required.

Fix Bad Unlock

If the AnySIM process rebooted midway or stopped, the baseband may need to be downgraded or re-uploaded.

  1. Downgrade to firmware v1.0.2 using the Shift/command-click Restore-function.
  2. Download the virginizer pack from iPhone Elite team and ierease. Or the complete pack from iFon.
  3. In addition the secpack for the current baseband version is required, for v1.1.2 4.02.13_G baseband download AnySIM 1.2.1u.
  4. Upload the folder to the root (/) on the iPhone, rename secpack40213.bin to secpack and make the bbupdater and ieraser executable, chmod +x bbupdater ieraser.
  5. Disable the CommCenter, launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
  6. Wipe the baseband by simply executing ./ieraser and wait for it to finish.
  7. To verify, execute ./bbupdater -v and it should respond 'baseband unresponsive to pinging'.
  8. Upload the new baseband, ./bbupdater -e ICE03.14.08_G.eep -f ICE03.14.08_G.fls
  9. Verify the new 03.14.08_G baseband, ./bbupdater -v.
  10. Update to the latest jailbreaked and unlockable firmware.

Download the SSH terminal log

Note: Don't use iUnlockx it corrupt the integrity of the baseband. This was the first free unlock process available and is now obsolete.

Out-of-The-Box v1.1.2

iPhones with 1.1.2 and 1.1.3 firmware out of the box has a newer bootloader (v4.6) which is patched for the vulnerability used to unlock iPhones with earlier versions of the bootloader.

Currently the only way to use the iPhone as a phone, is to use one of the proxy SIM card solutions. The popular ones are StealthSIM and TurboSIM. More about proxy SIM [1]:

All "SIM" cloning cards exploit a bug in the firmware that will take a "valid" ICCID (Integrated Circuit 
Card ID) during the phone initialization. This will cause the phone to believe it's running with an "authorized" 
SIM, as the ICCID contains the code for the carrier. That is why it works out of the box. It's like a "pre-loaded" 
TurboSIM. It seems that StealthSIM uses the same ICCID for all of theirs pigback SIM, with TurboSIM it will copy 
it from a given SIM, and one can program several TurboSIM with a single ICCID.


Firmware v1.1.3

At the Macworld 2008 Expo, a new iPhone update was announced. Including SMS multiple people, movable items at the home screen, webclips, triangulate your location in maps, hybrid maps view, and lyrics. There are a few new changes not announced by Apple, like support for third-part applications (Nikita).

Jailbreak

As usual, to jailbreak the new firmware, the iPhone has to be jailbreaked before starting the procedure. To jailbreak this release, the firmware has to be decrypted and decompressed, patch, jailbreak and pre-activate, insert Installer.app and soft upgrade script, recompress it, upload it to the iPhone, and flash the firmware via the soft upgrade script [2].

Note: Both of these methods are not true jailbreaks, as the kernel is still from the previous v1.1.2 firmware. A proper jailbreak could be performed with Ziphone, but I've already moved to v1.1.4.

Old method:

This method is by Natetrue and apparently is leaked prematurely. There seems to be more problems cropping up after this jailbreak as the baseband and kernel is not updated. Locate me doesn't work because the new baseband is not updated and unlockable yet, EDGE settings not saved but works after a network setting reset, and no patch yet for international keyboards preferences [3]. Hopefully the new baseband can be unlocked to accept any SIM.

  1. Make a backup of the Library directory (contacts, messages, settings, etc) even though it won't be erased after the update.
  2. Download the special edition iBrickr.
  3. Open iBrickr and continue to download the firmware patch (11 MB) and then the v1.1.3 firmware image (162 MB) from Apple.
  4. Continue to the next step; extracting, decypting, decompressing, and patching the firmware. All this requires at least 400 MB free space on the computer.
  5. Confirm to upload the firmware, it requires 300 MB on the Media parition.
  6. Now, on the iPhone install the "1.1.3 soft upgrade" application to initilize the upgrade (upgrade.sh). It will stall for 10-15 minutes before it will reboot to complete the upgrade. If the screen automatically locks after a minute, you can still slide to unlock it and use the phone, but the upgrade script is runnig in the background making the iPhone feel sluggish.
  7. Viola! Version 1.1.3 is installed. The iPhone is still unlocked after the update (no baseband update) and all settings are preserved. To fix the CallerID, update Appsupport. Norwegian localization package is available on ipod1.no.

New method (recommended):

This is the Official Dev Team jailbreak for 1.1.3, and hosted by conceitedsoftware.com. The jailbreak is done all on the iPhone, only thing needed is to install the upgrader application.

  1. Make sure the iPhone is running a jailbreaked v1.1.2 firmware.
  2. Open Installer.app and refresh the source list if it's not updated. The upgrader is included in the default source lists.
  3. Install the 'Official 1.1.3 Upgrader' application
  4. Exit Installer.app and go into Settings -> General and Auto-Lock, set it to Never.
  5. Now, start the Upgrader application. The application will download the 162 MB firmware image from Apple and do the rest of the patching, decypting, decompressing and writing the new image. Make sure to dock the iPhone.
  6. After 30 minutes the process should've finished and the iPhone rebooted into v1.1.3.
  7. To enable all the international keyboards, install the patched UIKit binary and to enable your country create the necessary directory like: /Applications/Preferences.app/Norwegian.lpro. For European phone number support, install the patched Appsupport package. More details for Norwegian localization.

Complete Norwegian Keyboard

On a regular iPhone keyboard, to get the æøå-characters you have to hold the a- and o-keys for the alternative characters to be available. This hack replaces the Russian keyboard layout with a complete Norwegian keyboard that includes all the special keys on one layout.

  1. Add the source http://install.ifon.no to Installer.app
  2. Install MobileEnchancer (package), which does the file replacement and enabling work.
  3. Next, install the Norsk tastatur (1.0.2-1.1.3) (package package with the modified cyrillic/Russian keyboard.
  4. Go into Settings -> International -> Keyboards, and enable Russian.
  5. Now, open SMS or any application requiring a keyboard and click the little globe-icon to switch between the enabled keyboards (English, Norwegian, and Complete Norwegian keyboard).
  6. For the dictionary to work with the complete keyboard, the files in /System/Library/KeyboardDictionaries/ has to start with ru_RU, e.g ru_RU-unigrams.dat in addition to the regular nb_NO-unigrams.dat.

Firmware v1.1.4

The v1.1.4 firmware is a minor bug fix update and brings no new features. The build number for v1.1.3 was 4A93, and v1.1.4 4A102. It's thought that Apple released this update to prepare for the March 6th iPhone SDK event. It fixes some SMS ordering, mail sending, Bluetooth, and cell signal strength bugs.

In other unlocking news, the v4.6 bootloader has been cracked by Geohot in a 24 hour run to finally allowing software SIM-unlocking on out-of-the-box iPhones. The new bootloader was introduced in factory-new iPhones that came with firmware v1.1.2 or higher. Currently it can unlock baseband 4.02.13_G (introduced with v1.1.2) when running bootloader v4.6, and unlock baseband 4.03.13_G (v1.1.3) or higher when running v3.9 [4] [5]. It's possible to downgrade from bootloader v4.6 to the more flexible v3.9 (that has less protection, RSA exploit) using gbootloader [6] [7].

What's even more fun, is that the new gunlock [8] will turn a virginized baseband into a IPSF-like unlock on bootloader v3.9 iPhones, meaning it resistant to restore and (hopefully) future updates [9]. No unlocking needed after a update. The unique seczone file aka lock table is patched. To recapture; bootloader, baseband, secpack, seczone. Every section is authenticated and secured from alteration [10]. Comparatively, AnySIM patches the baseband firmware and won't survive a update [11].

As the update brought minor changes, most of the patches from v1.1.3 could be used on this update (lockdownd, Appsupport). A iPhone user called Zibri has developed a new application making jailbreaking, activating, and unlocking a breeze. The application is called ZiPhone and was originally developed for Mac OS X, but a Windows version is now available. It uses a new ramdisk exploit to boot-up and enables write access, patches lockdownd [12] using iPatcher from v1.1.3 [13], copies Installer.app, and runs gunlock to unlock the baseband.

It's best to start with a plain sheet, although I managed to run the Geohot IPSF script on my Official Dev Team v1.1.2 jailbreaked iPhone with 4.02.13_G AnySIM v1.2.1 unlocked baseband. I first ran the ipsf.sh script through SSH which stalled and timed out on the iUnlock part, I rebooted the iPhone and Wifi/cell signal was not started because of the bad ./iUnlock secpack debugvirgin command. After restarting the ipsf.sh script in Term-V100 it successeded fine.

To recap all the different tools offered by Geohot (only ipsftool is needed for v3.9 IPSF unlock):

  • ipsftool.zip - is used to exploit the RSA flaw in bootloader v3.9 and allow IPSF unlock, patches seczone token value with zeros, which is restore and update resistant (hopefully)
  • gunlock.zip - is used to unlock out-of-the-box v1.1.2/v1.1.3 iPhones with bootloader v4.6 and works like a AnySIM patch [14], currently supports baseband 04.02.13_G (v1.1.2), 04.03.13_G (v1.1.3) coming
  • gbootloader.zip - is used to downgrade bootloader v4.6 to v3.9 and to use IPSF unlock above, current no way to go back, 46_GEOMOD is coming

Term-VT100

It's recommended to do all bootloader, baseband, secpack, and seczone programming through a terminal on the iPhone, not through SSH. The Wifi connection will timeout on firmware v1.1.1 and later if there is no activity.

On v1.1.3, the Term-VT100 application has to be set up with SUID to allow root login, otherwise it will fail the login attempt.

Easy automatic way:

  1. Install Term-VT100 terminal application
  2. Add a new source to Installer.app, address http://install.ifon.no or http://www.trejan.com/irepo/
  3. Install the SUID Lib Fix and Term-VT100 SUID Fix, it will fix a library problem and allow Term-VT100 to login as root
  4. Try to open Term-VT100 and login with root and alpine

Manual way:

  1. Install Term-VT100
  2. Login with root over SSH and execute mkdir -p /usr/local/arm-apple-darwin/lib [15] [16]
  3. Next, make a symbolic link of the required library, ln -sf /usr/lib/libgcc_s.1.dylib /usr/local/arm-apple-darwin/lib/libgcc_s.1.dylib
  4. Last, set the SUID bit on Term-VT100, chmod +s /Applications/Term-vt100.app/Term-vt100
  5. Try to open Term-VT100 and login with root and alpine

Restore Baseband

This restore can be done on any firmware version, e.g. 1.0.2, but a cell signal can only be accquired on v1.1.3 or later because lockdownd expects a certain baseband version.

Automatic way:

  1. Add a new source to Installer.app, host http://installer.iClarified.com and a new iClearified category will appear [17]
  2. Disable Auto-Lock in Settings -> General -> Auto-Lock -> Never
  3. In Installer.app, install the Baseband Updater (04.03.13_G) package and let script with bbupdater run till it's finished
  4. Reboot the iPhone and check Settings -> General -> About and the baseband version should show 04.03.13_G

Manual way:

  1. Download the BB cleaner package with the bbupdater flasher and the required baseband files
  2. Upload the files (bbupdater, ICE04.03.13_G.eep, ICE04.03.13_G.fls, secpack) to the iPhone over SCP, e.g. /cleaner
  3. SSH or SCP into the iPhone and make bbupdater executable, chmod +x bbupdater
  4. Disable the CommCenter, launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
  5. Set Auto-Lock to Never and open Term-VT100, enter ./bbupdater -f ICE04.03.13_G.fls -e ICE04.03.13_G.eep
  6. After 3 minutes the baseband is programmed, reboot the iPhone and check the version in Settings -> General -> About
  7. Alternatively execute ./bbupdater -v and verify that the output has the new baseband firmware version as shown below
    firmware: DEV_ICE_MODEM_04.03.13_G
 eep version: EEP_VERSION:208
eep revision: EEP_REVISION:1
  bootloader: BOOTLOADER_VERSION:3.9_M3S2

If the iPhone is already Geohot IPFS seczone unlocked, remeber to execute the two AT+ commands on boot-up [18].

IPFS Unlock

The Geohot IPFS unlock method modifies the seczone (which is unique on every iPhone) and zeros out the token value [19], to always return valid responses when queried by the system.

Geohot continually updates the ipsf.sh script and binaries required to run the unlock. Get the latest from the original Geohot blog post.

  1. Flash the baseband to 04.03.05_G (v1.1.3), ./bbupdater -f ICE04.03.13_G.fls -e ICE04.03.13_G.eep, verify with ./bbupdater -v
  2. Download the ipsftool.zip and upload the files to the iPhone via SCP, e.g. /ipsftool
  3. Put the bbupdater, ICE04.03.13_G.fls, and ICE04.03.13_G.eep files in the same directory, /ipsftool
  4. Set Auto-Lock to Never and make sure Term-VT100 is installed and working, as described a few paragraphs above
  5. Note: The script will run a a lot of dangerous commands that could render the unit useless, make sure the iPhone is docked and charged
  6. Make the script executable, chmod +x ipsftool.sh
  7. Run it via Term-VT100, never through SSH, ./ipsftool.sh
  8. After 5-10 minutes the seczone should've been patched and at the end baseband 04.03.13_G is restored. Open the ipsftool.sh script to follow the execution.
  9. The new unlock method expects two AT+ unlock commands to be sent before it can accquire a cell signal
  10. Install a handy modem-tool called igsm to send the commands
  11. With CommCenter still unloaded, execute /usr/bin/igsm -c "AT+CLCK=\"PN\",0,\"00000000\"" and /usr/bin/igsm -c "AT+CLCK=\"PN\",2" or vice versa until the latter command returns +CLCK: 0
  12. Load the CommCenter to get a cell signal, launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
  13. Now backup the entire ipsftool directory to a CD-R or USB pendrive, it will come handy later if the process has to be reversed for some reason

Unlock Commands

The unlock commands needs to be sent before CommCenter is loaded, else the modem is busy. The script below will hijack/bootstrap the CommCenter service [20]. Hopefully future versions of lockdownd will be patched to send these commands automatically.

  1. Install igsm [21] in /usr/bin and make it executable, chmod +x /usr/bin/igsm
  2. Rename CommCenter, mv /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter_original
  3. Create a new script file, pico /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
#!/bin/bash
/usr/bin/igsm -c "AT+CLCK=\"PN\",0,\"00000000\""
/usr/bin/igsm -c "AT+CLCK=\"PN\",0,\"00000000\""
exec /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter_original
  1. Make it executable, chmod +x /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
  2. Reboot or unload the CommCenter, launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
  3. Load the CommCenter again, launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
  4. The unlock commands will now be sent to the modem, CommCenter loads thereafter, and cell signal acquired after 3 seconds

There is also a application called Signal.app [22] [23] [24] that does the exact same thing. Notice that the commands should not be executed on AnySIM unlocked iPhones, as the NCK counter could lock down the iPhone [25].

Alternatively, add a LaunchDaemon in /System/Library/LaunchDaemons, called com.apple.igsm.plist:

#!/bin/bash
launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
/bin/sleep 2
/usr/bin/igsm -c "AT+CLCK=\"PN\",0,\"00000000\""
/usr/bin/igsm -c "AT+CLCK=\"PN\",0,\"00000000\""
/usr/bin/igsm -c "AT+CLCK=\"PN\",2"
/bin/sleep 2
launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist

Reverse IPFS Unlock

The IPSF unlock can be reversed, there are a few unofficial ways to do it (hackint0sh.org and zjollotto.com). It requires the original seczone file dumped during the IPSF unlock process to create a new loader/payload for iUnlock.

The reversing uses the same binaries and files when the unlock was done, the only thing that could've changed in the mean time is the baseband version if the firmware is updated, e.g to v1.1.4. Use the correct secpack [26] for the current baseband version on the iPhone to get write access. The last part restores the baseband to a default state.

  1. Unload CommCenter, launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
  2. Move to /ipsftool and create the new seczone loader, cat secloader seczone > fselector_revert
  3. Do the next parts in Term-VT100 or else the Wifi will stop working in v1.1.3
  4. Use iUnlock to write back the original seczone, ./iUnlock secpack fselector_revert
  5. Reset/restart the baseband as iUnlock doesn't do it, ./norz seczone.ignore 0x3FA000 0x2000
  6. Now, get the programmed seczone for comparison (e.g Tiny Hexer), ./norz seczone.revert 0x3FA000 0x2000 (same command again)
  7. Restore the baseband firmware, ./bbupdater -f ICE04.03.13_G.fls -e ICE04.03.13_G.eep
  8. And load CommCenter, launchctl load -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
  9. The iPhone is now locked and no cell signal is accquired, use AnySIM v1.3 (confirmed working) or go back to Geohot IPSF to unlock the iPhone
  10. Remember to disable the AT+ commands send during update, in either /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter or Signal.app

Update to v1.1.4

To get a good and clean update to firmware v1.1.4, the iPhone should be restored to v1.1.4, and jailbreaked and activated via the new ZiPhone application. Don't use ZiPhone to restore. The application packs together many of the previous methods and patches, it performs the jailbreaking on boot-up using a new ramdisk exploit.

It doesn't matter if the iPhone is AnySIM or Geohot IPSF unlocked, although it would be a good idea to IPSF unlock before updating to the new firmware. Currently there is AnySIM for baseband 04.04.05_G (v1.1.4).

  1. Download the v1.1.4 firmware (162 MB) and plug in the iPhone
  2. Install the latest iTunes (v7.6.1) and SHIFT+click the Restore-button, select the v1.1.4 firmware image
  3. Or, alternatively get the iPhone into recovery mode using iphoneinterface.exe included in the iBrickr package, type enterrecovery to start
  4. Wait for the restore to complete, takes 4-5 minutes
  5. Delete old iPhone backups in iTunes, go to Preferences -> Syncing, and delete all the entries in the list. Old settings can sometimes butcher the setup after jailbreaking.
  6. Download the latest ZiPhone (9.9 MB) and make sure iTunes IS running
  7. Start the ZiPhoneGUI.exe application and open the 'Advanced Features'-tab to the lower-right
  8. Select 'Jailbreak file system' and 'Activate', nothing else is needed, start the actions with the 'Perform Actions'-button
  9. The process takes under a minute to complete, from entering restore mode, starting the ramdisk exploit, and booting up again [27]
  10. Use Installer.app to install BSD Subsystem, OpenSSH, and maybe Community Sources, to get backup and running

If the iPhone was IPSF unlocked, perform the AT+ modem unlock commands mentioned above to get the baseband to accquire a cell signal.

My iPhone now runs firmware v1.1.4 4A102, modem baseband firmware 04.04.05_G with Geohot IPSF token zeroed seczone.

Region Format

  • Files to patch: UIKit binary to enable international keyboards
  • Files to patch: Preferences bianry to enable all regions and languages

This will enable all countries in Settings -> General -> International. How to Unlock the 1.1.4 iPhone Region Format

Automatic:

  1. Add the source http://install.ifon.no and http://installer.iclarified.com
  2. Install the Internasjonal (1.1.4) and Region Patch (1.1.4) packages
  3. Reboot to apply the changes

Manual:

  1. Download the international.1.1.4.zip
  2. Extract the UIKit.org and UIKit to /System/Library/Frameworks/UIKit.framework
  3. Make UIKit executable, chmod +x /System/Library/Frameworks/UIKit.framework/UIKit

Next, patch Preferences:

  1. Rename the original Prefences binary, move /Applications/Preferences.app/Preferences /Applications/Preferences.app/Preferences.original
  2. Download region114.zip
  3. Extract the patched Preferences to /Applications/Preferences.app
  4. Make it executable, chmod +x /Applications/Preferences.app/Preferences
  5. To add language support (text translation), create a directory for each language name in /Applications/Preferences.app, e.g Norwegian.lproj (translation files still needed)
  6. Now, open Settings and go to the General -> International section and make the correct Region Format and Keyboards settings

International Phone Number

  • Files to patch: AppSupport to fix caller id and crashes

To get the correct caller id phone number matching (with and without country code, etc to same contact) and fix dialer crashes. Either use the Installer.app to install the iClarified package or use the manual installation. [28]

Automatic way:

  1. Make sure the http://installer.iclarified.com sources is included in Installer.app (ifon.no uses patched 1.1.3 for 1.1.4 for some reason)
  2. Install the AppSupport Patch (1.1.4) package and wait for it to install
  3. Reboot to load the new Appsupport binary

Manual way:

  1. Get the Appsupport files for 1.1.4, iclarified.com
  2. Rename the original AppSupport binary, move /System/Library/Frameworks/AppSupport.framework/AppSupport /System/Library/Frameworks/AppSupport.framework/AppSupport.original
  3. Extract the new files to /System/Library/Frameworks/AppSupport.framework
  4. Make AppSupport executable, chmod 755 /System/Library/Frameworks/AppSupport.framework/AppSupport
  5. Reboot to apply the new AppSupport

Dictionary

  • New localized no_* and ru_* dictionary files

To get a localized dictioanary when using text input, a new dictionary for the selected region format has to be installed. For Norway the locale id is no_NB (Norwegian Bokmål).

Automatic way:

  1. Add sources http://install.ifon.no to Installer.app
  2. Install the Norsk Ordbok package

Manual way:

  1. Download the ru_RU-dict_1.0.zip dictionary archive
  2. Extract all the no_* and ru_* files to /System/Library/KeyboardDictionaries
  3. The ru_* files are identical to the no_* files, but they are used then the complete keyboard layout patch is installed via MobileEnhancer (replaced the russion cyrillic charachters with norwegian)
  4. Reboot to load the new dictionary files

Downgrade Bootloader

New iPhones with v1.1.2 and later firmware has a new v4.6 bootloader that has patched a RSA exploit found on earlier v3.9 bootloader [29].

  1. Restore the iPhone to a older firmware that is better to work with doing modem work, open ZiPhone and under advanced press DFU Mode
  2. When the iPhone reboots with the iTunes+connector image, in iTunes hold Shift+Click the Restore button and select the v1.1.1 firmware image
  3. Once the restore is done, iTunes will report an error 1015, that's OK
  4. Open iBrickr and click Boot iPhone to get it out of restore mode, if the screen turns green, restore the iPhone once more, and try iBrickr again till it turns red and boots successfully
  5. Do the *#307# trick and jailbreakme.com or i.unlock.no method mentioned on the v1.1.1 jailbreak section above to jailbreak the firmware
  6. Install Community Soures, BSD Subsystem, and OpenSSH
  7. SCP upload the downgrade package (md5 c1956f131b894a2a75909750a1449058) files, e.g to /downgrade. Small note, the secpack in the package is from 03.03.05_G but works on newer basebands, e.g. 04.04.05_G
  8. Make the files executeable, over SSH execute chmod +x /downgrade/*
  9. Wifi is unreliable and the main process should always be run via a terminal on the iPhone, install Term-V100 (SUID fix not needed on v1.1.1)
  10. Unload the CommCenter, launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
  11. Now, execute the main process via Term-VT100, ./gbootloader secpack bleraser bldl 3.9_M3S2.nor (or create a go.sh script and upload it to skip entering the long string manually)
  12. Next, restore the baseband firmware to 03.14.08_G (v1.0.2), ./bbupdater -f ICE03.14.08_G.fls -e ICE03.14.08_G.eep
  13. Before updating the iPhone firmware to the latest version, consider doing the Geohot IPSF unlock while in v1.1.1 (remeber the AT+ unlock commands to get signal)
  14. Update or restore to the latest firmware the usual way in iTunes
    firmware: DEV_ICE_MODEM_04.04.05_G
 eep version: EEP_VERSION:208
eep revision: EEP_REVISION:1
  bootloader: BOOTLOADER_VERSION:3.9_M3S2


For some reason I had to use ZiPhone and the unlock function to get a cell signal even when the seczone was IPSF unlocked. Could be a mishap between the bootloader downgrade and the IPSF unlock.

References