iPod Touch: Easiest jailbreak ever - no computer required!

[planetbeing]

Thanks to hdm of Metasploit, we are now armed with the knowledge of how to custom-craft our own exploit tiffs. His groundwork with reliable code execution has made better jailbreaks possible. He is especially to be admired for the pedagogical detail that allows everyone to have a better understanding of his techniques and the internals of the device.

Based upon his work, I have created a tiff that entirely jailbreaks the iPod, installs Installer.app and OpenSSH, along with an easy on/off program that lets you switch SSH/SFTP/SCP on or off for both security and battery saving purposes.

SummerBoard is no longer installed since the latest version from Installer.app works fine and requires no tinkering.

You do need a relatively stable wi-fi connection for this, since your iPod will be download a couple of megabytes of information.

So, there are now two steps, one of which is optional:

1. Restore and/or update your iPod/iPhone to a fresh copy of the 1.1.1 firmware. This is probably not necessary if you have not messed around with your iPod too much.
2. In Safari on your iPod, visit dn.vc/jb (an alias for http://www.slovix.com/touchfree/jb)

Safari will crash after a moment. Nothing will appear to happen for about 30 seconds (so be patient). Then, the iPod will automatically restart and you will be jailbroken!

It's quite beautiful, in my opinion, because it's easy and platform-independent (doesn't matter if you're running Mac or PC).

This will probably be the simplest way.... until Apple fixes the TIFF security hole, so enjoy while you can.

I'll make the source code available to anyone who contacts me. It's pretty trivial to set up mirrors.

Oh, and P.S.: A shout-out and props to rezn who was the first to get something like this working. My implementation is entirely independent and is neater (since it uses HTTP instead of requiring raw TCP and socat) IMHO, but he was the first, and his success prodded me to make my own.

Video of what the process ought to look like: http://www.youtube.com/watch?v=RHHPVhDfxT8

[David G.]

Is it possible to do this and then later restore to an absolutely untouched state, so much so that doesn't know and void my warranty should I send it in for any reason?

[parrotheadmjb]

Quote:

Originally Posted by David G.

Is it possible to do this and then later restore to an absolutely untouched state, so much so that doesn't know and void my warranty should I send it in for any reason?

click on restore in itunes

[Corius]

Hi

I tried the http://www.slovix.com/touchfree/jb/ URL in my ipod touch, safari crashed and then the ipod rebooted, after the reboot it remains frozen in the apple logo. I cannot get past the logo and cannot enter restore mode either, I bricked my ipod!

Any help will be appreciated.

Thank You.

[dschiller]

I've tried this after many unsuccessful attempts with other methods (see this thread) and I am glad to say that it worked! This is fantastic!

Congratulations to the developer of this!

Cheers
Daniel

[mmfy]

Quote:

Originally Posted by Corius

Hi

I tried the http://www.slovix.com/touchfree/jb/ URL in my ipod touch, safari crashed and then the ipod rebooted, after the reboot it remains frozen in the apple logo. I cannot get past the logo and cannot enter restore mode either, I bricked my ipod!

Any help will be appreciated.

Thank You.

Quote:

Originally Posted by dschiller

I've tried this after many unsuccessful attempts with other methods (see this thread) and I am glad to say that it worked! This is fantastic!

Congratulations to the developer of this!

Cheers
Daniel

So does it work or not??

[planetbeing]

Quote:

Originally Posted by Corius

Hi

I tried the http://www.slovix.com/touchfree/jb/ URL in my ipod touch, safari crashed and then the ipod rebooted, after the reboot it remains frozen in the apple logo. I cannot get past the logo and cannot enter restore mode either, I bricked my ipod!

Any help will be appreciated.

Thank You.

The first reboot can take up to two minutes, so be patient. If you interrupted the reboot, you may have to restore. (I'm assuming the device rebooted automatically)

[coreybox]

worked great for me

[LGShepherd]

i have just done this and it works great!

however, i have one question, how do i add other apps to this? the installer has a bunch of them, but i would like the iphone apps on my touch as well, how would i do this?

thanks
Liam

[dschiller]

Quote:

Originally Posted by LGShepherd

i have just done this and it works great!

however, i have one question, how do i add other apps to this? the installer has a bunch of them, but i would like the iphone apps on my touch as well, how would i do this?

thanks
Liam

Using iJailbreak to install the iPhone apps might work, though I haven't tested that. If you try it, please let us know if it works.

[Lixivial]

Quote:

Originally Posted by planetbeing

It's quite beautiful, in my opinion, because it's easy and platform-independent (doesn't matter if you're running Mac or PC).

Yeah, kudos on the simplicity. But beautiful is not what I'd label a show-stopping, widely documented security flaw.

The weakest vector to attack is the human element. People really want apps on their iPod touch and iPhone. To me, that's not a situation I'd label "beautiful."

[planetbeing]

Quote:

Originally Posted by Lixivial

Yeah, kudos on the simplicity. But beautiful is not what I'd label a show-stopping, widely documented security flaw.

The weakest vector to attack is the human element. People really want apps on their iPod touch and iPhone. To me, that's not a situation I'd label "beautiful."

Hacks are beautiful, flaws are not. If you want to see something ugly, read the specifications for TIFF. The very fact that just by you browsing my website, I can do whatever I want to your device is obviously very dangerous. As soon as I have fully reviewed the patches that are now available for that security hole, I will automatically apply them. For now, despite ominous warnings by some security professionals, nothing malicious has appeared to exploit them. Though, it's not unimaginable that someone might eventually think having an iPhone/iPod botnet would be fun. Haha.

I'm not really certain what you're getting at by your second paragraph. Are you saying that people wanting third-party applications is not "beautiful"? Who are you? Steve Jobs?

Or are you saying that, somehow, people wanting 3rd party applications on their device are security vulnerabilities. That's not really true; people are only security vulnerabilities when they act in unsafe ways. Using the TIFF exploit from a known source is as risky as installing a program from a known source. After all, I'm not BonzaiBuddy. Taking care not to open e-mails or visit websites from shady sources will still serve to guard safe people adequately for the time being (but not when malware start to actually pop up).

The desire of people to have 3rd party applications does tend to make security vulnerabilities on the iPhone and iPod touch to appear faster than they would normally, because of the tremendous amount of effort the community expends on finding cracks in the armor and wedging them wide open. Arguing that that's bad is like arguing for security through obscurity. If the current hackers don't find these problems while searching for ways to enable 3rd party applications and publicize them, some others will and sell these vulnerabilities to spammers and botnet owners instead.

At any rate, we can both agree that both the iPhone and iPod touch are currently woeful in terms of security. I just find your other comments, well, confusing.

[evilgreg]

WOW! Nice job on this hack, and unlike the guy a few posts above me, I DO agree with you that this is beautifully done. This will save a LOT of people major headaches, and I know if I have to restore my iPod, I'll use this method for shure. Compatible with the iPhone I presume?

[lupka]

I did my jailbreak the hard way a few weeks ago, but its really cool to see something like that.

[zagnutts]

I was able to visit http://www.slovix.com/touchfree/jb/ in safari. Everything seemed to be working fine. The browser closed and the iphone restarted. But after the restart, nothing has changed. Any suggestions? I just got the phone and even did a restore.

[planetbeing]

Quote:

Originally Posted by zagnutts

I was able to visit http://www.slovix.com/touchfree/jb/ in safari. Everything seemed to be working fine. The browser closed and the iphone restarted. But after the restart, nothing has changed. Any suggestions? I just got the phone and even did a restore.

You're using an iPhone, correct? Are you activated?

Also try restarting the device again. It also won't hurt if you try to visit the url again. If those actions don't work, come back here and tell me because that's really weird.

[Corius]

I interrupted the rebooting process after the safari crash :S

I can enter the restore mode and my PC recognizes and tries to "restore and update" but iTunes is giving me "The iPod could not be restored. Theres not enough memory available".

I'm kinda lost here.

[jigimu]

Yes, It worked fine with no problem!! Thanx to the responsible Geek

[dxerboy]

FYI out there: third time was the charm for me. Very very sweet hack. Cheers!

[zagnutts]

Quote:

Originally Posted by planetbeing

You're using an iPhone, correct? Are you activated?

Also try restarting the device again. It also won't hurt if you try to visit the url again. If those actions don't work, come back here and tell me because that's really weird.

I am using an iPhone but am not activated. I have tried restarting it again,but still nothing.

[Shnoops]

Now lets say I use this expoilt get the installer app and such. now wen apple sounds out the newest firmware will i be able to do a restore and than be able to upgrade?

[Lixivial]

Quote:

Originally Posted by planetbeing

Though, it's not unimaginable that someone might eventually think having an iPhone/iPod botnet would be fun.

I was thinking more like corrupting the baseband or muddling the nvram (single-user mode) -- parameters which a restore will *not* fix. But, yeah, any malicious intent.

Anyroad, I apologise that I probably misread your comment I originally quoted. I just find it interesting that in this instance -- which is the very definition of "remote code execution" -- hacks based on this flaw are lauded with great applause. I'm just thinking about what would have happened if this was a Mac OS X flaw and it was disclosed to the public as a major problem with libtiff by a security expert.

Quote:

Originally Posted by planetbeing

I'm not really certain what you're getting at by your second paragraph. Are you saying that people wanting third-party applications is not "beautiful"? Who are you? Steve Jobs?

... Arguing that that's bad is like arguing for security through obscurity.

No, (the prospect of) third-party apps are why I bought my iPhone June 29th.

Anyroad, I was saying that people's deep desire for an easy-to-use jailbreak method makes social engineering even easier than it already is. The prospects of a device that has and relies heavily on camera, microphone, and keyboard is a data gold mine. I wasn't saying it has or would happen, but more that it could (which is stating the obvious... obviously. ) And I wasn't implying you of creating a malicious piece of software, but I was giving general caution to just blindly following proclamations by people about their way to jailbreak the iPhone. That's all.

I didn't mean to hijack your thread, but I, myself, wasn't exactly certain what you meant by your original comment so that's why I responded in the first place. I do agree that this method seems to be the easiest implementation I've seen, and I'll reiterate my kudos to your efforts.

[planetbeing]

Quote:

Originally Posted by Lixivial

I didn't mean to hijack your thread, but I, myself, wasn't exactly certain what you meant by that comment. I do agree that this method seems to easiest implementation I've seen, and I'll reiterate my kudos to your efforts.

Oh no, it's fine. I just wanted to make those points anyway for awhile and needed to get it out, haha. Sorry you were on the receiving end of it!

[droogie69]

hey thanks this work great for me
i was able to hack it but how can i edit/add my calendar
and one more thing how can i get the note application too

[Corius]

I was able to restore the Ipod finally, I'll try the hack again later on.