IPhone Hacking: Difference between revisions
| Line 288: | Line 288: | ||
| # If iTunes reports an error 1, try to use iBrickr 0.91 or higher to get into the correct restore mode. | # If iTunes reports an error 1, try to use iBrickr 0.91 or higher to get into the correct restore mode. | ||
| # Connect to computer and when asked by iTunes that it found a iPhone in restore mode click Ok. | # Connect to computer and when asked by iTunes that it found a iPhone in restore mode click Ok. | ||
| # Download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw v1.1.1] from Apple and Shift/command-Click the Restore button and select the downloaded firmware. | # Download [http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw v1.1.1] or 1.0.2 from Apple and Shift/command-Click the Restore button and select the downloaded firmware. | ||
| # After it reboots into yellow triangle, open iPhuc and enter these commands: cmd setenv auto-boot true, cmd saveenv, cmd fsboot, or use iPhuc to boot the iPhone. | # After it reboots into yellow triangle, open iPhuc and enter these commands: cmd setenv auto-boot true, cmd saveenv, cmd fsboot, or use iPhuc to boot the iPhone. | ||
| # Now while in v1.0.2, jailbreak it by using iBrickr or AppTappInstaller. Activate using iBrick to upload the iPhoneActivation.pem to /Library/System/Lockdown/ and iAsign --automatic iPhoneActivation_private.pem to activate as described above. | # Now while in v1.0.2, jailbreak it by using iBrickr or AppTappInstaller. Activate using iBrick to upload the iPhoneActivation.pem to /Library/System/Lockdown/ and iAsign --automatic iPhoneActivation_private.pem to activate as described above. | ||
Revision as of 23:53, 8 January 2008
The iPhone was released in the USA 29th June 2007, and after 2 months it was finally possible to hack the iPhone to allow it run true native third-party applications, aka homebrew applications.
Jailbreak v1.0.2
Downgrade
If the phone came with v1.1.1, it's (as of writing) necessary to downgrade to v1.0.2.
- Download the iPhone v1.0.2 firmware from Apple.
- Download and install iTunes v7.3.2. Select a new folder if iTunes is already installed.
- On the iPhone, press and hold both the SLEEP and HOME buttons for 8-10 seconds.
- The screen should go completely black, release the SLEEP button and continue to hold the HOME button.
- When the iPhone says 'Connect to iTunes' release the button and connect the USB-cable.
- Open iTunes and click 'Ok' when it prompts that a restore is needed. Hold SHIFT (on Windows) and select the v1.0.2 firmware file.
- The restore should complete with a 1013 error. A yellow triangle on the iPhone indicates that v1.0.2 has been installed.
Jailbreak
Jailbreaking means to escape the 'Media'-partition of the iPhone where only some settings and all the media files is stored. Technically the jailbreak is essentially a 'chroot /var/root/Media'.
- There are two ways to jailbreak on Windows, Apptapp installer or iBrickr. Download the recommended Apptapp installer.
- With the iPhone still in the yellow-triangle-restore-mode, run Apptapp and let it process through all the steps. It will jailbreak and install Installer.app.
- Once jailbreaked, the iPhone will return to the 'Slide for emergency' and still needs activation to load the normal Springboard.
Activate
A normal iPhone can only work and be activated on the AT&T operator. Faking the activation tricks the iPhone into 'Activated'-state and all the functions except phone is available.
- Download the iAsign package for Mac and then the Windows (Win32) update. Put iAsign.exe in the 'bin'-folder.
- Upload the iPhoneActivation.pem file to the iPhone and put it in /Library/System/Lockdown/ using the upload function iBrickr.
- Open a command-prompt (Start -> Run -> cmd) and change directory (cd) to the iAsign folder.
- Run 'iAsign --automatic iPhoneActivation_private.pem' to generate a new activated certificate on the iPhone.
- A message should show stating the iPhone is activated. The 'Slide to emergency'-message should have changed to 'Slide to unlock'.
- You now see the Springboard and the 'Installer' application.
- To make it easy to upload files and execute remote commands on the iPhone, open Installer, install 'BSD Subsystem' and 'OpenSSH'. Use WinSCP to connect with username 'root' and password 'dottie' (first connect takes time).
Youtube
Youtube requires some certificates to work properly.
- Download the 3 required Youtube files.
- Upload the data_ark.plist, device_private_key.pem and device_public_key.pem files to /var/root/Library/Lockdown/.
- Open the data_ark.plist and copy the certificate block ending om '...FLS0tLS0K'.
- In the same directory, go into 'pair_records', edit the file (double click), paste the certificate into the DeviceCertificate section.
- Go into the 'activation_records' directory and to the same for all the files.
- Hold the SLEEP button for 5 seconds and reboot the iPhone.
Unlock
To be able to use any SIM-card the iPhone's baseband firmware has to be modified.
- Download AnySIM v1.1 and extract the AnySIM.app folder.
- Upload the AnySIM.app folder to the /Application/ directory on the iPhone
- Change the permissions on the 'anysim' binary to 0755 by selecting 'Properties' in WinSCP and checking all the checkboxes for 'X'.
- Shutdown the iPhone, insert the new SIM-card and power-on. AnySIM should appear in the Springboard.
- Open AnySIM, disable the Auto-lock as instructed and follow the two steps to begin the unlocking. Normally takes 5-10 minutes to complete the unlocking.
- If you get a 'SIM Locked'-message after the process is successful, press 'Unlock' and enter the PIN-code for the SIM. You can disable the prompt in Settings -> Phone -> SIM Pin.
Localization
Keyboard
The iPhone does not come with any other dictionary or keyboard layouts then the default American package.
New recommended method:
- In Safari go to http://russianiphone.com/beta/en/ and http://iph0ne.moo.no/ and install the sources when prompted.
- Go into Installer and install Mobile Enhancer (which is a plugin like extension) and Norwegian Keyboard (plugin for Mobile Enhancer).
- Reboot phone.
Old method: To add Norwegian locale support, a few files has to be patched. The character '[', ']' and '{' will be replaced with 'æ', 'ø' and 'å' respectively.
- Download the Norwegian dictionary from the iPhoneShop download page.
- Download the patched keyboard .artwork file with Norwegian character keyboard images.
- Download the patched UIKit binary to output the actual Norwegian character code when the key is touched.
- Extract all the files and put them into the /System/Library/Frameworks/UIKit.framework/ directory on the iPhone. Backup the originals. Change the permissions for 'UIKit' to 0755.
- Reboot the iPhone and test the new keyboard and dictionary.
Phone Number Format
The default phone number format is the classic American standard with the parentheses and spaces. The format string is dictated by a simple settings file.
Replace US format with NO format:
- On the iPhone, go to /System/Library/Frameworks/AddressBookUI.framework/ and download the ABPPhoneFormats.plist file.
- Browse to this binary-to-xml website to convert the plist to a XML-file.
- Open the new file in a plain text editor and find the 'US'-key.
- Change the format string in the 'US'-key to the new format. For Norway the string will be ######## and +47 ########.
- Save the file and upload the file to the same directory. No need to convert the plist back to binary.
- Reboot the iPhone and check the Phone application to see the new string.
International Caller ID
The iPhone supports 7 digits to handle local and international phone number formats. It cuts of from the end and tries to match the phone number with the contacts. The length differs from country to country.
- Download the patched AppSupport binary that match the length of the phone number, AppSupport.
- Upload AppSupport to /System/Library/Frameworks/Appsupport.framework/
- Reboot the phone.
Voicemail Button
The voicemail button in the Phone application will not be functional on a non-AT&T network. It's possible to re-program the button to dial the correct voicemail phone number.
- Open the Phone application and select the Keypad.
- Enter the code *5005*86*...# where the three dots ('...') indicates the voicemail phone number for the operator.
- For Telenor in Norway, this sequence is used *5005*86*+4791509001#.
- Try to hit the voicemail button and it will connect to the voicemail service.
Updating to v1.1.1
There are many interesting fixes and a few new features in the iPhone v1.1.1 firmware update. But applying the update will re-jail and flash the modem baseband. A regular update does not remove settings and all the media files are preserved, third-party applications is wiped. Some applications may need updates to function on v1.1.1.
Updating
- Open iTunes and keep it open during the next steps. This is to trick the re-jailing.
- Remotely SSH into the iPhone (using putty or terminal) and change directory (cd) to /var/root/
- Rename the 'Media'-directory to 'Media-old' using 'mv Media Media-old' and issue this command to create a symbol link, 'ln -s / Media '.
- Another prerequisite is a copy of 'lockdownd' from v1.0.2, 'cp /usr/libexec/lockdownd /var/root/lockdown.1.0.2' (/var/root/ is not erased). It's used to generate a valid activation certificate on v1.1.1.
- Now, in iTunes click the 'Update'-button to start the update process. When it's finished the phone should show a activation screen and the slider should say 'Slide to emergency'. Everything is OK.
Enabling read/write
- Download the JailbreakWindows_v1.1.1.zip package and extract it.
- Open a command-prompt and change directory to the JailbreakWindows directory and execute the iphuc-jailbreak.exe application.
- To make sure the iPhone is jailbroken, issue 'ls' and look for 'Applications'. It it shows up, everything is good.
- To enable read/write (rw), the /etc/fstab file has to be replaced. A special putjailbreak-command overwrites the correct sector in the flash to update the file. In ipuch-jailbreak.exe, issue 'putjailbreak rdisk0s1 /dev/rdisk0s1'.
- Reboot the iPhone to enable read/write filesystem.
Install SSH
This step assumes a working Wifi configuration has been set up before the v1.1.1 upgrade. Else you need a open Wifi network and/or do the activation and contacts hack to enable a Wifi network connection to be able to connect via SSH.
- In the JailbreakWindows folder, delete the com.apple.update.plist.orig, com.apple.update.plist.orig, update and update.org files. Else the renaming of the original files from the iPhone will fail.
- Open a commd-prompt and execut the sshify-windows.bat batch file. Follow the simple instructions.
- When phase 4 is finished, the last 'fileref' should return 0. That means a file failed to be copied.
- Execute iphoneinterface.exe and issue this command to upload the last com.apple.update.plist, 'putfile /System/Library/LaunchDaemons/com.apple.update.plist'.
- Reboot the iPhone once more to enable the dropbear SSH server.
- Connect to the SSH server (putty or terminal) and use the username root and the new password alpine. The dropbear server does not support SFTP, only SCP.
Install Installer.app
- Follow the same procedure when installing SSH above.
- Open a command-prompt and execute the installapps.bat batch script.
- Installer.app can be executed via SSH before activation if wanted by doing the activation and contacts hack.
Activating
- Open a command-prompt and change directory to the JailbreakWindows directory.
- Execut iphoneinterface.exe and issue this command to install the public certificate to make the activation work, ' putfile /System/Library/Lockdown/iPhoneActivation.pem'
- SSH remotely and make a copy of lockdownd for v1.1.1, 'cp /usr/libexec/lockdownd /var/root/lockdownd.1.1.1'.
- Install the 'cp' binary, iphoneinterface.exe and 'putfile /bin/cp'. Fix the permissions 'chmod +x /bin/cp'.
- Copy the old lockdownd from v1.0.2 over the current lockdownd, 'cp /var/root/lockdown.1.0.2 /usr/libexec/lockdownd'.
- Restart the lockdownd daemon, 'ps xa', find the PID, 'kill 21'. It should automatically restart.
- If 'ps' is not precent, install the BSD Subsystem pack with the Installer.app and contact hack above.
- Do the same for the afcd daemon, 'ps xa', 'kill 43'.
- Note that iphoneinterface.exe will fail to work if the iPhone is rebooted with lockdownd from v1.0.2, afc requires v1.1.1. Copy over v1.1.1 before rebooting.
- Download the iAsign package for Mac and then the Windows (Win32) update. Put iAsign.exe in the 'bin'-folder.
- Open a command-prompt and change directory to the iAsign folder.
- Run 'iAsign --automatic iPhoneActivation_private.pem' to generate a new activated certificate on the iPhone. A message should show stating the iPhone is activated.
- Restore the lockdownd from v1.1.1, 'cp /var/root/lockdown.1.1.1 /usr/libexec/lockdownd'.
- Kill lockdownd once more and it should, 'ps xa', and 'kill <pid>'.
- The iPhone screen should now have a 'Slide to unlock'-slide and the phone is successfully activated.
Patch Springboard
The new Springboard has to be patched to behave as before.
- Make springpatch executable, 'chmot 755 /usr/bin/springpatch'.
- Execute the patch, '/usr/bin/springpatch'.
Fix Installer.app Settings
If Installer.app was installed before the update, all the preferences files are invalid as the applications are wiped.
- Remove the preferences for Installer.app, 'rm -r /private/var/root/Library/Installer'.
- Make the new Installer.app executable, 'chmod 755 /Applications/Installer.app/Installer'.
- Reboot to load the changes.
Restoring Media Partition
- Remove symbol link, 'rm Media'.
- Move old Media library back, 'mv Media-old Media'.
Install BSD Tools
Installer.app (recommended):
- Install the BSD Subsystem via the Installer.app:
Natetrue:
- Download the Base and Extra tarballs natetrue.com.
- Transfer the files over to root (/) on the iPhone via SCP, either WinSCP or scp works.
- Remotely SSH into the iPhone and issue the extract command on both tarballs, 'tar zxvf *.tar.gz'.
- Move the files into the system using rsync, 'rsync -av BSD_Base /' and 'rsync -av BSD_Extra /'
- The extraction will overwrite original iPhone files with newer versions.
Fix SSH
The dropbear SSH server does not have SFTP and is incompatible with the Services applications. OpenSSH is recommended.
- SCP into the iPhone
- Remove the following files
/etc/dropbear/dropbear_rsa_host_key /etc/dropbear/dropbear_dss_host_key /etc/dropbear (folder) /etc/hackinit.sh /etc/init.d/dropbear.sh /etc/init.d (folder) /usr/bin/dropbear
- Install Community Sources and OpenSSH client and server.
- Reboot the iPhone to enable the new SSH server.
Add Contacts Icon
Add a contacts icon on the home screen.
- Download /Systems/Library/CoreServices/Springboard.app/M68AP5.plist.
- Add this string before the 'com.apple.MobileStore' and upload the file to the iPhone.
<dict> <key>displayIdentifier</key> <string>com.apple.MobileAddressBook</string> </dict>
Fix My Number Display
In iTunes and on top of the contacts list on the iPhone, your phone number should normally show. But if the SIM card is not programmed to include the acutal phone number it will not be shown.
- SSH remotely into the iPhone
- Stop the commcenter, 'launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist'
- Start the modem configurator, 'minicom -s'
- Use the arrow keys to select 'Serial port setup'
- Press 'A' for Serial Device, delete 'modem' and type 'tty.baseband'. The full string should be '/dev/tty.baseband'.
- Press enter twice to save the settings. Select 'Exit' and the initialize the modem.
- Type 'AT' to a 'OK' confirmation. Type 'AT+CPBS="ON"' to enable the 'My Number' feature.
- Then type 'AT+CPBW=1,"xxxxxxxx",,"N Telenor"' (two commas) to program your phone number and carrier.
- Verify by issuing 'AT+CPBR=1' and 'AT+CNUM'.
- Exit minicom by pressing CTRL+A and then Q.
- Load commcenter again, 'launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist'
- Reboot the iPhone and look for the number in the contacts list and iTunes.
Low Space Fix
The system partition is only 300 MB and is quickly filled when installing third-party applications. The media partition on the other hand holds the rest of the free flash storage memory.
- SSH into the iPhone. Make a complete backup of the iPhone beforehand via SFTP.
- Edit the fstab to allow execution of applications on the media partition, 'pico /etc/fstab' and remove ',noexec'.
- Change directory to root, 'cd /'.
- Copy the Applications directory over to the media partition, 'cp -Rv Applications/ private/var/root/'.
- Delete the entire Applications directory, 'rm -rv /Applications'.
- Create a new symbol-link from the media partition back to the root directory, 'ln -s private/var/root/Applications .'
- List the directory to make sure Applications points to private/var/root/Applications.
- Reboot the iPhone and install bigillion more applcations.
iPhuc AFC Fix
AFC is the protocol iTunes uses to transfer files to the iPhone. To make iPhuc/iPhoneBrowser work, a second AFC services is needed for root filesystem access.
- Backup /System/Library/Lockdown/Services.plist and edit Services.plist
- Add this section after the com.apple.afc entry:
<key>com.apple.afc2</key> <dict> <key>Label</key> <string>com.apple.afc2</string> <key>ProgramArguments</key> <array> <string>/usr/libexec/afcd</string> <string>--lockdown</string> <string>-d</string> <string>/</string> </array> </dict>
- Open a command-prompt and enter iPhuc (iphuc.exe/iphuc_jailbreak.exe/iPhuc).
- Enable the afc2 service, 'setafc com.apple.afc2'.
Notes
The new v1.1.1 update fixes a lot of localization problems and seems to gear up for the official european release as it includes german, frence and uk dictionaries stock in the update.
To get special characters, like æøå in Norwegian, press and hold the key to get a pop-up with a array of different variations of that character.
The iPhone was still unlocked after the v1.0.2 to v1.1.1 update, the phone came with baseband v04.01.13_G and was unlocked with AnySIM v1.1. It did not require to be unlocked again after the update, showing that the AnySIM team have resolved the bricking issues.
To fix the localization for countries other than those mentioned, only two files needs to updated.
- Install the appropriate AppSupport from the Dev Wiki. This fixes the lenght problem of the phone number matching.
- Download /System/Library/CoreServices/Springboard.app/M68AP.plist and change the International key to true. Convert it first with the binary-to-xml website. This enables a flew of options in the Settings -> General panel. Including Language, Keyboards and Region format (.GlobalPreferences.plist). I set the Language to English, Keyboard to US and Norwegian, and region formats to Norway. When typing on the keyboard, there is now a new button to switch between US and Norwegian keyboard.
Fix Stuck Recovery Mode
- Open command-prompt and execute iphoneinterface.exe from the JailbreakWindows_v1.1.1 package
- Enter the commands: cmd setenv auto-boot true, cmd saveenv, cmd fsboot
- Typ exit to quit
Contacts Hack
If the phone is not activated and you want to go to jailbreakme.com. Wifi has to be configured first by doing a workaround to get the the system preferences.
- At the callpad, enter *#307# and Call.
- Answer the call and press Hold.
- If Hold is not available, delete the *#307# and enter 0 and press Call.
- Now answer the call and press Hold.
- Decline the next call and the Recent calls screen should appear.
- Add a new contacts with the url 'prefs://1F' and 'http://jailbreakme.com'.
- To the the first URL to configure the Wifi and the second to jailbreak the phone.
Easy Jailbreak for v1.1.1
A TIFF exploit is used to jailbreak v1.1.1. Recently a easy to use webbased jailbreaking method was released, jailbreakme.com. The website will utilize the TIFF exploit to:
- Jailbreakes the iPhone using TIFF exploit
- Patches Springboard
- Activates the phone
- Installs Installer.app
- Fixes Youtube
- Patches the TIFF vulnerability
- Enables afc2 protocol
Upgrade to v1.1.2
The new iPhone v1.1.2 firmware patches the TIFF exploit and requires some extra work to update. Uploading files to jailbreak requires a new standalone application.
- If you acctidently updated to v1.1.2, downgrade to v1.1.1 by enabling restore mode, hold the Power and Home button for 5-10 seconds. The screen will be black on v1.1.2.
- If iTunes reports an error 1, try to use iBrickr 0.91 or higher to get into the correct restore mode.
- Connect to computer and when asked by iTunes that it found a iPhone in restore mode click Ok.
- Download v1.1.1 or 1.0.2 from Apple and Shift/command-Click the Restore button and select the downloaded firmware.
- After it reboots into yellow triangle, open iPhuc and enter these commands: cmd setenv auto-boot true, cmd saveenv, cmd fsboot, or use iPhuc to boot the iPhone.
- Now while in v1.0.2, jailbreak it by using iBrickr or AppTappInstaller. Activate using iBrick to upload the iPhoneActivation.pem to /Library/System/Lockdown/ and iAsign --automatic iPhoneActivation_private.pem to activate as described above.
- Install Community Sources and OkToPrep to create a special file in the Media partition (to interface with the 1.1.2 firmware and create a dump and re-write the firmware later).
- Then update (not restore) to v1.1.2 in iTunes using the Update button.
- Download and extract the jailbreak v1.1.2 package and execute the windows.bat to start the GUI java process. It will jailbreak, copy over patched lockdownd and activate, fix Youtube, and install Installer.app
- After it has rebooted two times, Install BSD Subsystem and OpenSSH,
- Unlock the new baseband version using AnySIM. Download AnySIM 1.2.1u and upload to /Applications/AnySIM.app (important it's anySIM.app). Make it executeable, chmod +x anySIM.
- For internationalization a few files have to be patched, Appsupport to fix phone number matching, UIKit to add return/new line in SMS, and Preferences to get all countries in International settings. Norwegian language pack.
Note: It's not possible to activate v1.1.1 with the new v1.1.1 baseband version upgrade, a new lockdownd for v1.1.1 is required.
Fix Bad Unlock
If the AnySIM process rebooted midway or stopped, the baseband may need to be downgraded or re-uploaded.
- Downgrade to firmware v1.0.2 using the Shift/command-click Restore-function.
- Download the virginizer pack from iPhone Elite team and ierease. Or the complete pack from iFon.
- In addition the secpack for the current baseband version is required, for v1.1.2 4.02.13_G baseband download AnySIM 1.2.1u.
- Upload the folder to the root (/) on the iPhone, rename secpack40213.bin to secpack and make the bbupdater and ieraser executable, chmod +x bbupdater ieraser.
- Disable the CommCenter, launchctl unload -w /System/Library/LaunchDaemons/com.apple.CommCenter.plist
- Wipe the baseband by simply executing ./ieraser and wait for it to finish.
- To verify, execute ./bbupdater -v and it should respond 'baseband unresponsive to pinging'.
- Upload the new baseband, ./bbupdater -e ICE03.14.08_G.eep -f ICE03.14.08_G.fls
- Verify the new 03.14.08_G baseband, ./bbupdater -v.
- Update to the latest jailbreaked and unlockable firmware.
Note: Don't use iUnlockx it corrupt the integrity of the baseband. This was the first free unlock process available and is now obsolete.
Out-of-The-Box 1.1.2
iPhones with 1.1.2 firmware out of the box has a newer bootloader (v4.6) which is patched for the vulnerability used to unlock iPhones with earlier versions of the bootloader.
Currently the only way to use the iPhone as a phone, is to use one of the proxy SIM card solutions. The popular ones are StealthSIM and TurboSIM. More about proxy SIM [1]:
All "SIM" cloning cards exploit a bug in the firmware that will take a "valid" ICCID (Integrated Circuit Card ID) during the phone initialization. This will cause the phone to believe it's running with an "authorized" SIM, as the ICCID contains the code for the carrier. That is why it works out of the box. It's like a "pre-loaded" TurboSIM. It seems that StealthSIM uses the same ICCID for all of theirs pigback SIM, with TurboSIM it will copy it from a given SIM, and one can program several TurboSIM with a single ICCID.
References
- iPhone v1.1.1 Jailbreak & AppTapp Installation Guide / Jailbreak archive with readme
- iPod Touch Jailbreak
- iPhone v1.1.1 Baseband downgrading
- Unlocking The iPhone / secpack extraction
- Unlock the iPhone Simple Tutorial
- iPhone Dev Wiki Jailbreak v1.1.1
- Downgrade from v1.1.1 to v1.0.2
- Activate v1.1.1
- Re-drafted downgrading guide
- Re-drafted Jailbreaking v1.1.1
- Youtube hack
- Phone number format hack
- Fix International Caller ID / AppSupport
- Norsk iPhone Windows XP Guide
- Activation and Wifi setup via Contacts Hack
- Install BSD world on v1.1.1
- NorPhone Norwegian locale pack
- Ultimate Guide - Jailbreak/Activate/Unlock Virgin iPhones v1.1.1
- Really Ultimate Guide - Jailbreak-Unlock-Activate-YouTube Iphones 1.1.1
- Remove Dropbear
- Fix My Number display
- Downgrade v1.1.2
- Jailbreak v1.1.2
- Dev Wiki Jailbreak v1.1.2
- Ultimate guide upgrading v1.1.1 to v1.1.2
- NorPhone v1.1.2 Norwegian locale pack
- Downgrading Baseband
