Difference between revisions of "IPhone 3GS Hacking"

From ivc wiki
Jump to navigationJump to search
 
(2 intermediate revisions by the same user not shown)
Line 67: Line 67:
# Release the power button but keep pressing home for 10
# Release the power button but keep pressing home for 10
# A message should pop up that a DFU device is found and iTunes will prompt that it found a device in recovery mode
# A message should pop up that a DFU device is found and iTunes will prompt that it found a device in recovery mode
# Now, as the 3GS has a new firmware protection that prohibits restoring to previous versions, use Pwnagetool to create a custome firmware package, i.e. v3.1.2
# Now, as the 3GS has a new firmware protection that prohibits restoring to previous versions, use Pwnagetool to create a custom firmware package, i.e. v3.1.2
# But first restore with a original v3.1.2 package then with the first restore is successful, wait for Pwnagetool to set the 3GS in restore mode, once again
# But first restore with a original v3.1.2 package then with the first restore is successful, wait for Pwnagetool to set the 3GS in Recovery (not DFU) mode
# And now use shift/option-click the Restore button and select the custom package this time
# And now use shift/option-click the Restore button and select the custom package this time
# Now the iPhone should be updated and jailbroken
# Now the iPhone should be updated and jailbroken
== Cydia - On-file system ==
The 3GS prohobits restore to previous system versions, i.e 3.1 to 3.0. This is because Apple check the version before signing a few essential update files with their private encryption key and the 3GS' unique ECID.
But there is a 'relay attack' vector that make it possible to be a man-in-the-middle between the iTunes client and the Apple authentication servers. It's done by changing the locally resolved hostname ip address to a different one.
Saurik, one of the developers behind Cydia, has created a server that is capturing the hash keys sent be Apple and stores them, or puts them on-file if you will.
By storing them it will later be possible to downgrade to earlier firmware versions by reusing the valid stored hash keys (signed by Apple private key + device ECID). The keys are sent by the Cydia server to iTunes instead from Apple, which won't send the valid keys.
Only change needed is to change to /etc/hosts or \Windows\system32\drivers\etc\hosts file and add:
74.208.105.171 gs.apple.com
Next time a restore is done, the current firmware (i.e v3.1) keys will be stored by Cydia.

Latest revision as of 23:01, 28 October 2009

This the the third revision Apple has made to the to the iPhone. It mainly improves the processor speed, system memory, camera, and adds compass functionality. Although it seems like a minor update it certainly has an effect. The device operates more like it should and feels very responsive, almost no waiting opening applications or performing tasks.

Jailbreaking

Jailbreaking the 3GS is different from the former models. The 3GS incorporates a new encrypted system security model.

I jailbroke the 3GS on a Mac in a two step process, first acquiring the iBEC and iBSS encryption files, then jailbreaking it using purplera1n.

Capture iBEC and iBSS (done on a Mac):

  • Download the v3.0 firmware for the 3GS in Firefox (Safari will extract the image if not set up properly)
  • Backup the 3GS, it has to be restored next
  • Open a Finder window, select the Go menu, and select 'Go to Folder', paste this path '/Users/<USERNAME>/Library/Caches/Cleanup At Startup' (replace with your username)
  • With the window open in the background, turn off the 3GS and connect it to the Mac
  • Hold the power button for 3 seconds, then hold both the power and home button for 10 seconds, and at last relase the power button, this will make it enter DFU Mode
  • iTunes will respond and say it found an iPhone in restore mode, which is what we need
  • Now, in iTunes alt+click the restore button and select the v3.0 ipsw file downloaded previously
  • Switch back to the window opened earlier and wait until the extraction is done in iTunes, once done copy the entire folder to your desktop
  • Let the restore process complete and in the meanwhile go to the 'Apple Software/DFU/' folder and you will see two files starting with iBEC and iBSS. Copy these files to a safe place. These will allow the iPhone to be jailbroken at anytime in the future as it includes the security keys to patch and talk to the 3GS.

The files aren't required for the next step, purplera1n will extract it by itself. It's for future reference.

Jailbreaking using purplera1n (done on a Mac):

  • Setup a Wifi connection if the iPhone was restored previously
  • Download the purplera1n application from purplera1n.com
  • Connect the 3GS and execute the application
  • Click 'Make it ra1n' and wait for the 3GS to reboot
  • The payload will be uploaded to the iPhone and once done a new application called 'Freeze' will show up on the 3GS
  • Open the 'Freeze' application and tap 'Install Cydia', wait for it to complete
  • Reboot the 3GS and open 'Freeze' once again and 'Install Cydia' once more
  • Now Cydia should be properly installed and the 3GS is now jailbroken!

If the iPhone has been updated to v3.0.1 software, purplera1n will fail. Try to use redsn0w v0.8 or later, same functionality and restore is not required. Remember to use the v3.0 ipws for v3.0.1 jailbreaking.

References

Raising the display

On my unit the display is a bit sunk into the body of the unit. When moving my finger across the edges I can feel the rough edge of the chrome bezel.

A way to fix this would, obviously, to raise the display from behind. As I discovered, both the 3G and 3GS are really easy to open compared to the 2G. Place a suction cup on top of the screen near the home button and lift with a fair amount of pull.

I cut 6 strips of 50.0x5.0 mm regular A4 paper and placed them on each side of the screen (long side). The reason for this is that the mid-point on the display will otherwise be pressing against the back of the touch-glass (pressure-rings can be seen then).

After this modification the electrical features inside the is still true and the edge of the bezel is smooth and not rough to the touch.

Install Installous

The Installous repository has a lot of cool utilities for the iPhone.

  1. Open Cydia, go to Manage and Sources
  2. Add http://cydia.hackulo.us to the list

Enable tethering

Take a look at the tips and tricks page:

Fix halted boot

I had a booting problem with my 3GS, it halted during the Apple logo with the device is turned on. I believe a bad data cable is the root of the cause, possibly corrupting a critical system file.

The only way to recovering was a DFU recovery, or full restore. The only backup I had was the one made by iTunes a few days before.

  1. Connect a working USB cable to a computer with iTunes and the ipsw file you want to restore
  2. Hold down power+home until the iPhone shuts down
  3. Press power and then power+home again, during the Apple logo it should blink and go to black
  4. Release the power button but keep pressing home for 10
  5. A message should pop up that a DFU device is found and iTunes will prompt that it found a device in recovery mode
  6. Now, as the 3GS has a new firmware protection that prohibits restoring to previous versions, use Pwnagetool to create a custom firmware package, i.e. v3.1.2
  7. But first restore with a original v3.1.2 package then with the first restore is successful, wait for Pwnagetool to set the 3GS in Recovery (not DFU) mode
  8. And now use shift/option-click the Restore button and select the custom package this time
  9. Now the iPhone should be updated and jailbroken

Cydia - On-file system

The 3GS prohobits restore to previous system versions, i.e 3.1 to 3.0. This is because Apple check the version before signing a few essential update files with their private encryption key and the 3GS' unique ECID.

But there is a 'relay attack' vector that make it possible to be a man-in-the-middle between the iTunes client and the Apple authentication servers. It's done by changing the locally resolved hostname ip address to a different one.

Saurik, one of the developers behind Cydia, has created a server that is capturing the hash keys sent be Apple and stores them, or puts them on-file if you will.

By storing them it will later be possible to downgrade to earlier firmware versions by reusing the valid stored hash keys (signed by Apple private key + device ECID). The keys are sent by the Cydia server to iTunes instead from Apple, which won't send the valid keys.

Only change needed is to change to /etc/hosts or \Windows\system32\drivers\etc\hosts file and add:

74.208.105.171 gs.apple.com

Next time a restore is done, the current firmware (i.e v3.1) keys will be stored by Cydia.