"We got a serial interface working today. See the hackint0sh forum or the last progress report for instructions on building. I stayed up all night building and testing one. Don't try to modify your iphone dock. The soldering was nearly impossible(and i hand solder qfp and tssop). The serial interface isn't really as great as it sounds. The nice thing is we got a Command List. These commands can be issued much easier with sendCommandToDevice and are included in iphoneinterface. The new version has a much nicer recovery mode shell. We know how to unlock the phone. Unfortunatly the commands needed gave "Permission Denied" errors. We did find a refernce to a hardware register that causes "Permission Denied" error in the bootloader, but we cannot software patch the bootloader because it is signed. The only way I see around it is JTAG, which we currently know nothing about. Or possibly in DFU mode. I think we may just be better off accessing the radio through user mode.
Let me clarify the "modes" of the device, because only today did I really understand them. Normal mode is the running mode of the device. It uses the system from the 39 dmg, and since this is running a system, it's called User Mode. Recovery mode is embedded into iBoot. It can be entered one of two ways, either with a call to AMDeviceEnterRecovery or the home+top button combo. The call trashes the fs while the button combo does not. The third mode is Restore mode. This is the mode when the device is booted from the ramdisk, and it runs restored. All the fs commands can be accessed here, with calls to performOperation, a private dll function. The last mode is DFU mode. We currently have never entered/don't know how to enter it. I believe this is the key to uploading a patched bootloader, because I don't think it checks the signature.
I still have never gotten a clear answer as to whether all the binaries and signed or not. I don't see a signature easily in them, they don't begin with "89001.0". If someone is looking for a way to contribute, build a gcc toolchain with support for Mach-O ARM, and compile some nice gcc binaries. I'd like those binaries for windows. Don't harass us in the irc chat with questions on how to build this toolchain because we don't know. Just PM me with a link to a working binary
Tomorrow my first priority is to get the dll to export the private functions and access restore mode directly with performOperation instead of AMRestorePerformRecoveryModeRestore. We should get nice interactive shells in all three modes. Good work today, everyone.
~geohot"
"Not bad, it took folks 72 hours to break the Iphone and determine that well, like most software products there are a couple really bad software vulnerabilities in the system. Not quite the same land speed record that was set with the PSP, that was taken down in less than a day, yet still no surprise that there are issues with the software that will brick or take over your phone, and cost you a lot of money.
Taking root access on the phone was as simple as parsing a file with John the Ripper.
Among the advances made to date, hackers have discovered the password the iPhone requires to give an application root access is, amazingly, "dottie" (minus the quotation marks). A second password for mobile access is "alpine."
The passwords were remarkably easy to learn. Researchers posting in a forum on Hackintosh first downloaded the file that iTunes accesses when a user wants to restore the iPhone software. A simple run with John the Ripper, a popular password cracking program, on one of the files contained in the download and the passwords became public knowledge. Source: The Register
And now that the root passwords are out, and going to be very common knowledge, as services get exposed on the Iphone either for browsing, widgets, or other internet based services, whoop, someone gets root, and probably going to want to make sure that the widget is a good legal legitimate widget before too long.
The Iphone Hacking Wiki was an amazing thing to read, but it took me a while to get there, they might be doing IP blocks, I was forbidden on Comcast to connect, but Qwest connections did just fine. The Wiki can be found here, but again, they might be doing IP blocking. Or it might have been a bad link, glitch in line, or something we don't really know what it is.
If you want to unlock, own, or otherwise explore your Iphone, the hackers are hard at work and play on this one. Well worth checking out."
--Dan Morrill
command list:
help this list
script run script at specific address
go jump directly to address
bootx boot a kernel cache at specified address
diags boot into diagnostics (if present)
tsys boot into tsys (if present)
bdev block device commands
image flash image inspection
fs file system commands
fsboot try to boot kernel at /kernelcache
devicetree create a device tree from the specified address
ramdisk create a ramdisk from the specified address
tftp tftp via ethernet to/from device
eload tftp via ethernet from hardcoded install server
halt halt the system (good for JTAG)
reboot reboot the device
poweroff power off the device
md memory display - 32bit
mdh memory display - 16bit
mdb memory display - 8bit
mw memory write - 32bit
mwh memory write - 16bit
mwb memory write - 8bit
mws memory write - string
crc POSIX 1003.2 checksum of memory
task examine system tasks
printenv print one or all environment variables
setenv set an environment variable
clearenv clear all environment variables
saveenv save current environment to flash
run use contents of environment var as script
bgcolor set the display background color
setpicture set the image on the display
iic iic read/write
radio Manipulate the radio board.
setbusclock Set bus clock to the given frequency in Hz.
setcorevoltage Set core voltage to the given voltage in mV.
syscfg flash SysCfg inspection
charge Manage the charger chip.
powernvram Access Power NVRAM.
usb run a USB command
nand nand flash routines
chunk chunk a file7/6/2007
Let me clarify the "modes" of the device, because only today did I really understand them. Normal mode is the running mode of the device. It uses the system from the 39 dmg, and since this is running a system, it's called User Mode. Recovery mode is embedded into iBoot. It can be entered one of two ways, either with a call to AMDeviceEnterRecovery or the home+top button combo. The call trashes the fs while the button combo does not. The third mode is Restore mode. This is the mode when the device is booted from the ramdisk, and it runs restored. All the fs commands can be accessed here, with calls to performOperation, a private dll function. The last mode is DFU mode. We currently have never entered/don't know how to enter it. I believe this is the key to uploading a patched bootloader, because I don't think it checks the signature.
I still have never gotten a clear answer as to whether all the binaries and signed or not. I don't see a signature easily in them, they don't begin with "89001.0". If someone is looking for a way to contribute, build a gcc toolchain with support for Mach-O ARM, and compile some nice gcc binaries. I'd like those binaries for windows. Don't harass us in the irc chat with questions on how to build this toolchain because we don't know. Just PM me with a link to a working binary
Tomorrow my first priority is to get the dll to export the private functions and access restore mode directly with performOperation instead of AMRestorePerformRecoveryModeRestore. We should get nice interactive shells in all three modes. Good work today, everyone.~geohot"
"Not bad, it took folks 72 hours to break the Iphone and determine that well, like most software products there are a couple really bad software vulnerabilities in the system. Not quite the same land speed record that was set with the PSP, that was taken down in less than a day, yet still no surprise that there are issues with the software that will brick or take over your phone, and cost you a lot of money.
Taking root access on the phone was as simple as parsing a file with John the Ripper.
Among the advances made to date, hackers have discovered the password the iPhone requires to give an application root access is, amazingly, "dottie" (minus the quotation marks). A second password for mobile access is "alpine."
The passwords were remarkably easy to learn. Researchers posting in a forum on Hackintosh first downloaded the file that iTunes accesses when a user wants to restore the iPhone software. A simple run with John the Ripper, a popular password cracking program, on one of the files contained in the download and the passwords became public knowledge. Source: The Register
And now that the root passwords are out, and going to be very common knowledge, as services get exposed on the Iphone either for browsing, widgets, or other internet based services, whoop, someone gets root, and probably going to want to make sure that the widget is a good legal legitimate widget before too long.
The Iphone Hacking Wiki was an amazing thing to read, but it took me a while to get there, they might be doing IP blocks, I was forbidden on Comcast to connect, but Qwest connections did just fine. The Wiki can be found here, but again, they might be doing IP blocking. Or it might have been a bad link, glitch in line, or something we don't really know what it is.
If you want to unlock, own, or otherwise explore your Iphone, the hackers are hard at work and play on this one. Well worth checking out."
--Dan Morrill
command list:
help this list
script run script at specific address
go jump directly to address
bootx boot a kernel cache at specified address
diags boot into diagnostics (if present)
tsys boot into tsys (if present)
bdev block device commands
image flash image inspection
fs file system commands
fsboot try to boot kernel at /kernelcache
devicetree create a device tree from the specified address
ramdisk create a ramdisk from the specified address
tftp tftp via ethernet to/from device
eload tftp via ethernet from hardcoded install server
halt halt the system (good for JTAG)
reboot reboot the device
poweroff power off the device
md memory display - 32bit
mdh memory display - 16bit
mdb memory display - 8bit
mw memory write - 32bit
mwh memory write - 16bit
mwb memory write - 8bit
mws memory write - string
crc POSIX 1003.2 checksum of memory
task examine system tasks
printenv print one or all environment variables
setenv set an environment variable
clearenv clear all environment variables
saveenv save current environment to flash
run use contents of environment var as script
bgcolor set the display background color
setpicture set the image on the display
iic iic read/write
radio Manipulate the radio board.
setbusclock Set bus clock to the given frequency in Hz.
setcorevoltage Set core voltage to the given voltage in mV.
syscfg flash SysCfg inspection
charge Manage the charger chip.
powernvram Access Power NVRAM.
usb run a USB command
nand nand flash routines
chunk chunk a file7/6/2007
