iPhone almost fully hacked

Discussion in 'iPhone' started by lavrishevo, Jul 8, 2007.

  1. lavrishevo macrumors 68000

    lavrishevo

    Joined:
    Jan 9, 2007
    Location:
    NJ
    #1
    "We got a serial interface working today. See the hackint0sh forum or the last progress report for instructions on building. I stayed up all night building and testing one. Don't try to modify your iphone dock. The soldering was nearly impossible(and i hand solder qfp and tssop). The serial interface isn't really as great as it sounds. The nice thing is we got a Command List. These commands can be issued much easier with sendCommandToDevice and are included in iphoneinterface. The new version has a much nicer recovery mode shell. We know how to unlock the phone. Unfortunatly the commands needed gave "Permission Denied" errors. We did find a refernce to a hardware register that causes "Permission Denied" error in the bootloader, but we cannot software patch the bootloader because it is signed. The only way I see around it is JTAG, which we currently know nothing about. Or possibly in DFU mode. I think we may just be better off accessing the radio through user mode.

    Let me clarify the "modes" of the device, because only today did I really understand them. Normal mode is the running mode of the device. It uses the system from the 39 dmg, and since this is running a system, it's called User Mode. Recovery mode is embedded into iBoot. It can be entered one of two ways, either with a call to AMDeviceEnterRecovery or the home+top button combo. The call trashes the fs while the button combo does not. The third mode is Restore mode. This is the mode when the device is booted from the ramdisk, and it runs restored. All the fs commands can be accessed here, with calls to performOperation, a private dll function. The last mode is DFU mode. We currently have never entered/don't know how to enter it. I believe this is the key to uploading a patched bootloader, because I don't think it checks the signature.

    I still have never gotten a clear answer as to whether all the binaries and signed or not. I don't see a signature easily in them, they don't begin with "89001.0". If someone is looking for a way to contribute, build a gcc toolchain with support for Mach-O ARM, and compile some nice gcc binaries. I'd like those binaries for windows. Don't harass us in the irc chat with questions on how to build this toolchain because we don't know. Just PM me with a link to a working binary :) Tomorrow my first priority is to get the dll to export the private functions and access restore mode directly with performOperation instead of AMRestorePerformRecoveryModeRestore. We should get nice interactive shells in all three modes. Good work today, everyone.
    ~geohot"



    "Not bad, it took folks 72 hours to break the Iphone and determine that well, like most software products there are a couple really bad software vulnerabilities in the system. Not quite the same land speed record that was set with the PSP, that was taken down in less than a day, yet still no surprise that there are issues with the software that will brick or take over your phone, and cost you a lot of money.

    Taking root access on the phone was as simple as parsing a file with John the Ripper.

    Among the advances made to date, hackers have discovered the password the iPhone requires to give an application root access is, amazingly, "dottie" (minus the quotation marks). A second password for mobile access is "alpine."

    The passwords were remarkably easy to learn. Researchers posting in a forum on Hackintosh first downloaded the file that iTunes accesses when a user wants to restore the iPhone software. A simple run with John the Ripper, a popular password cracking program, on one of the files contained in the download and the passwords became public knowledge. Source: The Register



    And now that the root passwords are out, and going to be very common knowledge, as services get exposed on the Iphone either for browsing, widgets, or other internet based services, whoop, someone gets root, and probably going to want to make sure that the widget is a good legal legitimate widget before too long.

    The Iphone Hacking Wiki was an amazing thing to read, but it took me a while to get there, they might be doing IP blocks, I was forbidden on Comcast to connect, but Qwest connections did just fine. The Wiki can be found here, but again, they might be doing IP blocking. Or it might have been a bad link, glitch in line, or something we don't really know what it is.

    If you want to unlock, own, or otherwise explore your Iphone, the hackers are hard at work and play on this one. Well worth checking out."

    --Dan Morrill


    command list:
    help this list
    script run script at specific address
    go jump directly to address
    bootx boot a kernel cache at specified address
    diags boot into diagnostics (if present)
    tsys boot into tsys (if present)
    bdev block device commands
    image flash image inspection
    fs file system commands
    fsboot try to boot kernel at /kernelcache
    devicetree create a device tree from the specified address
    ramdisk create a ramdisk from the specified address
    tftp tftp via ethernet to/from device
    eload tftp via ethernet from hardcoded install server
    halt halt the system (good for JTAG)
    reboot reboot the device
    poweroff power off the device
    md memory display - 32bit
    mdh memory display - 16bit
    mdb memory display - 8bit
    mw memory write - 32bit
    mwh memory write - 16bit
    mwb memory write - 8bit
    mws memory write - string
    crc POSIX 1003.2 checksum of memory
    task examine system tasks
    printenv print one or all environment variables
    setenv set an environment variable
    clearenv clear all environment variables
    saveenv save current environment to flash
    run use contents of environment var as script
    bgcolor set the display background color
    setpicture set the image on the display
    iic iic read/write
    radio Manipulate the radio board.
    setbusclock Set bus clock to the given frequency in Hz.
    setcorevoltage Set core voltage to the given voltage in mV.
    syscfg flash SysCfg inspection
    charge Manage the charger chip.
    powernvram Access Power NVRAM.
    usb run a USB command
    nand nand flash routines
    chunk chunk a file7/6/2007
     
  2. CD3660 macrumors 68040

    CD3660

    Joined:
    Jun 6, 2007
    Location:
    Cheshire, United Kingdom.
  3. cah87 macrumors regular

    Joined:
    Jul 7, 2007
  4. boss1 macrumors 6502a

    boss1

    Joined:
    Jan 8, 2007
    #4
    ¡sǝuoʇƃıɹ ʎɯ ʇuɐʍ ı

    ˙ʇno ǝpısuı puɐ uʍop ǝpısdn ǝuoɥdı uɹnʇ ǝʍ ǝɹoɟǝq ǝɯıʇ ɟo ɹǝʇʇɐɯ ɐ ʎluo s,ʇı ˙uɐɯ ʇı ʇɐ dǝǝʞ ʇnq ˙sıɥʇ ƃuıʇǝɹdɹǝʇuı ǝɯıʇ ɹıǝsɐǝ uɐ pɐɥ ı
     
  5. LillieDesigns macrumors 6502

    LillieDesigns

    Joined:
    Oct 18, 2005
    Location:
    Los Angeles
    #5
    Yea, my brian hurts after reading that, but I think I understood some of it.
     
  6. ipoddin macrumors 6502a

    ipoddin

    Joined:
    Jan 6, 2004
    Location:
    Los Angeles
    #6
    Yeah. can someone summarize in english?
     
  7. balamw Moderator

    balamw

    Staff Member

    Joined:
    Aug 16, 2005
    Location:
    New England
    #7
    Hackers have found a list of commands and ways to get the iPhone to respond to commands through a serial connection to the dock connector, not from the UI, and thus may soon be able to get those commands to do something useful.

    B
     
  8. powerbuddy macrumors 6502

    Joined:
    Jun 20, 2006
    #8
    how did you do that? :)
     
  9. Brymo macrumors regular

    Joined:
    Jul 3, 2007

Share This Page