Let's actually unlock the iPhone

Discussion in 'iPhone' started by geohot, Jun 30, 2007.

  1. geohot macrumors newbie

    Joined:
    Jun 30, 2007
    #1
    All current claims to people owning an unlocked iPhone are false. To this date no one I am aware of has successfully unlocked an iPhone. I purchased an iPhone at 6 yesterday with the sole purpose of unlocking it. I have T-Mobile and have zero intention of switching to AT&T. So, I'm looking for the community who is currently trying to unlock it. I was involved in the uncrippling the V710 project and was impressed by the people I met.

    I'm hoping we could get a sticky thread going with all the current progress made. Maybe this thread :)

    Here is the progress I have made so far. My friend purchased an iPhone as well yesterday and let me run a USB sniffer while he was activating it. Here is that log. You can view it with SnoopyPro. Currently, I cannot even get my iPhone off the main screen saying I need to activate it. That is the first step towards an unlock. I'm surprised no one has really started hacking it yet; where are the firmware dumps, does it have seems, where is the unlocked status stored? Post whatever you can find out. My sn is "imgeohot". If this community is as good as the V710 community, we can have this thing unlocked in a week.

    The iPhone is an amazing device, let's bring it to the AT&T free masses. I am looking for the "they" people claim will unlock the iPhone and actually will work on it.

    This is a crosspost from HoFo
     
  2. Catgofire macrumors newbie

    Joined:
    Jun 29, 2007
    #2
    You know that the iPhone won't work on T-Mobile's network even if you do unlock it, right? And that your T-Mobile SIM chip won't work in your iPhone?
     
  3. fowler. macrumors 6502a

    fowler.

    Joined:
    Apr 18, 2004
    Location:
    Pasadena
    #3
    not saying this isn't true, but how can we know until someone has unlocked the phone and inserted a t-mobile sim?

    i just saw this site pop up..

    iphoneunlocking.com/
     
  4. vivniko macrumors newbie

    Joined:
    Jun 6, 2007
  5. mcl macrumors regular

    Joined:
    Dec 5, 2002
    #5

    Looks like it's using SSL.

    By the way, that capture log contains your friend's computer's host cert and host private key, which means anyone could forge an SSL connection and pretend to be using your friend's computer. Asymmetric public-key cryptography isn't quite so secure when the private keys get leaked.

    Interestingly, the root cert and root private key being used are in there as well.

    However, the device private key is missing, as would be expected, because it's stored on the phone and not communicated.

    So, you did a marvelous job capturing an encrypted SSL session.

    Without the iPhone's private key (which is probably randomly-generated on the phone when first powered up during factory testing), decrypting it is going to be problematic.
     
  6. geohot thread starter macrumors newbie

    Joined:
    Jun 30, 2007
    #6
    How do you know this? And why would a private key ever be sent over any communications channel?
     
  7. geohot thread starter macrumors newbie

    Joined:
    Jun 30, 2007
    #7
    I mean fully unlock the phone. And theres no reason it won't work on T-Mobile. All iPhone unlock sites are scams, because if it has been unlocked people would have posted pictures.

    But first I must get past that first activation screen...
     
  8. besalva macrumors newbie

    Joined:
    Jun 30, 2007
    #8

    You should try this forum: http://www.hackint0sh.org/forum/
    They are making some progress
     
  9. mcl macrumors regular

    Joined:
    Dec 5, 2002
    #9
    It's trivial to run the log through strings and examine the DTDs and data fields. The EnableSessionSSL key was a bit of a giveaway. :)

    You ran the capture software on your friend's computer during the unlocking process. The two private keys on your friend's computer were thrown into the DTDs for the XML used as part of that process.

    Why that occurred is something you'd have to ask the Apple software engineers. Rather idiotic if you ask me, but I guess they assumed a short cable between your computer and your phone was a secure channel, and thus there would be no harm in putting it on the wire. Not something I'd ever recommend (inductive taps, anyone?), but it wasn't my call to make.

    If you're bored, cd to the directory where you stored the iphoneunlock.usblog file, and strings iphoneunlock.usblog | more.
     
  10. geohot thread starter macrumors newbie

    Joined:
    Jun 30, 2007
    #10
    Nice. I was just viewing it with SnoopyPro and I couldn't really get the whole picture. So a packet by packet retransmit won't work. And without the private key of the phone I can't think of any way to decrypt it. Can you?

    Over here they found a program that iTunes calls to send data to the iPhone. I'm assuming data is passed to this program unencrypted. So what if we sniff these pipes during activation?
     
  11. mcl macrumors regular

    Joined:
    Dec 5, 2002
    #11
    It'll probably be easier to just use the functionality in the firmware to activate it directly without trying to spoof it. I'm fairly certain iTunes will recognize an already-activated iPhone.
     
  12. Draythor macrumors 6502

    Draythor

    Joined:
    Sep 12, 2006
    Location:
    Exeter University, UK
    #12
    I don't claim to be an expert on this but it seems that there are only two ways about this:
    Fooling the iPhone into to thinking that it has an AT&T sim in it
    or
    skipping activation entirely

    Just my two cents
     
  13. MacDonaldsd macrumors 65816

    MacDonaldsd

    Joined:
    Sep 8, 2005
    Location:
    London , UK
    #13
    I suppose its down to how it was programmed. Even if iTunes thinks its a AT&T sim doesn't necessarily mean the iPhone will be fooled.
     
  14. biturbomunkie macrumors 6502a

    Joined:
    Jul 30, 2006
    Location:
    cali
    #14
    i wonder if iTS would check for att subscription every time when syncing.

    if someone can figure out a workaround, then i might get an iphone as well. :D
     
  15. maxlee macrumors newbie

    Joined:
    Dec 1, 2004
    #15
    Interesting. I went over to the forum. Read the threads, saw some guy wanting a iPhone and asking for money for it. I sent money by Paypal and
    1 hour later Paypal calls up saying I did something wrong and I shouldn't be doing it.

    Hmmmm. The darkside of Apple is growing strong. Beware.

     
  16. tem07 macrumors newbie

    Joined:
    Jun 29, 2007
    #16
    i just gave sam 300 usd so they can buy the iphone 4gb.
    hopefully will be there on thursday, like mine :)
    on the hackint0sh irc #iphone they have already discovered many things :)
    iphone hopefully will be cracked this week.
     
  17. skubish macrumors 68030

    skubish

    Joined:
    Feb 2, 2005
    Location:
    Ann Arbor, Michigan
    #17
    Don't worry guys, if its possible some Apple employee will leak it onto the net. With this ATT exclusive, I am pretty sure they have the iPhone locked down tight.
     
  18. mcl macrumors regular

    Joined:
    Dec 5, 2002
    #18
    Such as?
     
  19. alana22 macrumors regular

    Joined:
    Apr 12, 2007
    Location:
    Seattle
    #19
    Hehe, I think that's what the record labels said when they started their disc protection, only to realize a simple mark on the underside of the CD with a Sharpie would override it. :)

    Never underestimate the hackers, they are among the smartest people out there.
     
  20. one1 macrumors 65816

    Joined:
    Jun 17, 2007
    Location:
    Chattanooga, TN
    #20
    Apple paid a team of engineers big bucks to make this thing lock down so it is not going to be an easy task.

    Fortunately the team of people working to unlock it is much larger :D

    If I were apple, I'd do something unexpected. They've been working with windblows so much lately the trick is likely some hybrid crossover of dos, linux LOL! ;)

    It is supposed to be based on the Leopard OS though......
     
  21. appleii2mac macrumors regular

    Joined:
    May 23, 2007
    #21
    Funny thing that you never hear of anyone breaking DES except through a brute force attack.
     
  22. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #22
    I wonder if this will attract a community donation cash prize the way that some other recent projects, like OS X on Windows, etc, have?
     
  23. br- macrumors member

    Joined:
    Aug 7, 2006
    #23
    Awesome. That's very generous.
     
  24. mcl macrumors regular

    Joined:
    Dec 5, 2002
    #24
    You'd be surprised. In the firmware, there's this:

    DISK VOLUME 254
    A 002 HELLO



    Recognize it? No? AppleDOS. From the Apple ][ days. I should know; I've got a working //e on my desk right now (LCD monitor, Ethernet card, IDE and CF interface, etc.)
     
  25. Counterfit macrumors G3

    Counterfit

    Joined:
    Aug 20, 2003
    Location:
    sitting on your shoulder
    #25
    Well, if if you do manage to get it on T-Mobile, you won't have the visual voicemail.
     

Share This Page