Archive for the 'Hardware' Category

Apr 05

Iphone 1.1.3 1.1.4 jailbreaking/sim-unlocking how-to and FAQ

in Analysis and production and Hardware. Comments Printable version Printable version

As promise I get back to you about the Iphone jailbreaking and sim unlocking for firmeware 1.1.3 and 1.1.4. It is a good time do so because until the new firmware 2.0, it should stay that way.

First the big answer: Yes any iphone / ipod in firmware 1.1.4 can be jailbreaked and sim unlocked. Itn other words it means that any OTB iphone (out of the box) can be use on any network. You dont have to worry about the baseband as before because a hole has been found in the version 4.6.

The Walkthrough

The method involve using a soft called ziphone made by zibree. It is based on a vulnerability found by geohot and the old hole that exist in the baseband 3.9. I have use this soft on two iphones and it work perfectly.

Since a picture is said to worth thousands of word what about a video ? The above one, is a walktrought video for ziphone. I couldn’t have done better. It is very pro so thanks to richardlai for it.

The step by step guide

For those who need a step by steps guides here how to do so:

  1. Download ziphone.
  2. Download the last version of itune
  3. Download the firmware : iPhone1,1_1.1.4_4A102_Restore.ipsw (162 mo).
  4. Install Itune.
  5. Backup you data if you need to using itune.
  6. Use the restore button to install the firmware you have downloaded. To do so hold the shift key, when clicking on the restore button to have the opportunity to select a custom file.
  7. Wait until it is completed
  8. At this point your iphone ask for activation that is normal.
  9. Unzip ziphone.
  10. Launch ziphone.
  11. Ensure that the iphone is connected and visible in itune.
  12. Click on do it all
  13. Wait around 10 mn
  14. It is done. As you can see, you also have some additionnal software intalled
  15. If you want to add some additional software click on the blue icons on the bottom
  16. Restore your data if you have backuped them
  17. Congratulation

Frequently Asked Questions

Here is the answers to the most frequently asked question I get about the downgrade about the Iphone unlocking / jaibreaking. If you have more, shoot them in the comment section.

  1. First if you are not sure about the difference please read my previous post about iphone protection.
  2. Is the sim-unlock definitive? It depends of what you called definitive, geohot have reversed the technique used for simfree which is better than the previous one. Therefore now, the unlock will survive resets. However, if you change firmware the answer is no. Currently, the real activation method used by Apple can’t be used. We don’t know how to compute the unlock key.
  3. Why do have I to download the firmware from an alternative site ? Is it a modified version ? Well no its not however It prevent from bad surprise such as Apple doing a minor revision to patch the hole.
  4. Do itune need to be running : Yes it does, it use to transmit information to the iphone.
  5. Why do I need to do a restore ? Because if your iphone have been jailbreaked before the two methods might be in conflict. When you simply upgrade the firmware some data remains.
  6. How the sim unlock works for baseband 4.6. Well it does not work :) Your baseband is downgraded to the version 3.9
  7. Does a baseband 4.6 better than an 3.9 ? Well it does not appears to improve anything currently. Situation is likely to change for the 3G version which will certainly use a new baseband.
  8. Is the downgrade safe ? Well as any firmware manipulation is is reasonnably safe. No problem have been reported so far.
  9. Is it working for ipod touch ? Yes it is and you could install every applications that as the iphone.
  10. Why are you using an iphone as an ipod ? Well, I decided to buy an iphone as an ipod (I don’t use it as cellphone) for the following reasons : The hardware volume controle which is the key point for me, a better battery life, more options such as camera and bluetooth. Finally from an esthetic point of view, I prefere the iphone specially it back.

The technique behind the method

So how the new unlock is done ? What it does is boot an unsigned ramdisk with a script to jailbreak, activate, and unlock. This is possible because ramdisk are not signed by Apple.
Actually the bootloader installed by the upgrade is a modified version by geohot. It is called the gbootloader. It come with all the hard coded IPSF, full anywhere write access, no startup sig checks, and the bootrom locations blank. It work with the bootloader 3.9.

Conclusion

For firmware 2.0 it is likely that as the PSP, the iphone will use custom firmware. The technique is pretty much ready. It involve using a modified version of the Apple version firmware. An upcoming possible problem is the upcoming 3G version because it is likely that the 3G functionnality is not implemented in the baseband 3.9. So the current technique will not work. Time will tell, mean while have fun with you Iphone /Touch :)

Feb 11

NextGen Console Protection Hacking Survey

in Analysis and production, Handheld Devices, Hardware and Security. Comments Printable version Printable version

Over the last few years, many new games consoles were introduced in the market ranging from the PS3, to the xbox 360, to the Wii, to the PSP. They all use advanced security features to prevent game copy and firmware hacking. Currently most of these device security schemes are broken. This post aims at providing a comphrensive overview of the current situation.

I will review the security of the 6 latest consoles in this posts:

  1. The Nintendo DS lite
  2. The Nintendo Wii
  3. The Microsoft Xbox 360
  4. The Sony PSP
  5. The Sony PS3

Nintendo

Nintendo Company Limited, a Japanese multinational corporation founded on September 23, 1889 [1] in Kyoto, Japan by Fusajiro Yamauchi to produce handmade hanafuda cards. Nintendo has the distinction of historically being both the oldest intact company in the video game console market and one of the largest and best-known console manufacturers, as well as being the dominant entity in the handheld console market.

The DS

The Nintendo DS Lite (sometimes abbreviated DSLite) is a dual-screen handheld game console developed and manufactured by Nintendo. It is a slimmer, brighter, and more lightweight redesign of the Nintendo DS, designed to be aesthetically sleeker while taking styling cues from the Game Boy Advance SP, and to appeal to broader commercial audiences. It was announced on January 26, 2006, more than a month before its first launch in Japan on March 2, 2006 due to overwhelming demand for the original model. As of December 31, 2007, sales of the DS Lite have reached 45.97 million units worldwide.

ds1

The DS security was made by the RSA company. It is considered as fully broken because it is possible to play backuped games and install a linux on it. The linux project for the DS is named dslinux. The code signature protection is bypassed by using a hardware device called a linker such as the one below. This linker can be viewed as a bridge between the DS ans the rom.

linkerk6

The WII

Nintendo’s Wii was released in North America on November 19, 2006, and in Japan on December 2, 2006, Australia on December 7, 2006, and in Europe on December 8, 2006. It is bundled with Wii Sports in all regions except for Japan. The Wii retails for approximately $250. Unlike the other systems of this generation, the Wii does not have an internal hard drive, but instead uses 512 MB of internal Flash memory and includes support for removable SD card storage. It also has a maximum graphics output of 480p, making it the only seventh generation console not utilizing High Definition.

console-wii

The Wii security is considered as fully broken. It is possible to launch a backuped game, use homebrew and install a Linux. Currently the code signature security is bypassed by adding a modchip which is fairly easy to install. However, the situation will probably evolve as a bug in the Zelda seems exploitable. A modchip cost around 25$. The most famous is the wiikey (pictured below)

Microsoft

Microsoft entered the multi-billion-dollar game console market dominated by Sony and Nintendo in late 2001 [50], with the release of the Xbox. The company develops and publishes its own video games for this console, with the help of its Microsoft Game Studios subsidiary, in addition to third-party Xbox video game publishers such as Electronic Arts and Activision, who pay a license fee to publish games for the system.

Xbox

Microsoft’s Xbox was the company’s first video game console. The first console to employ a hard drive right out of the box to save games, the Xbox blurred the line between PC and console gaming, as it had similar hardware specifications to a low-end desktop computer at the time of its release.

250px-xbox1.jpg

According to the book Smartbomb, by Heather Chaplin and Aaron Ruby, the remarkable success of the upstart Sony playstation worried Microsoft in late 1990s. The growing video game market seemed to threaten the PC market which Microsoft had dominated and relied upon for most of its revenues. Additionally, a venture into the gaming console market would diversify Microsoft’s product line, which up to that time had been heavily concentrated on software.

According to Dean Takahashi’s book, Opening the Xbox, the Xbox was originally to be named “DirectX-box”, to show the extensive use of DirectX within the console’s technology. “Xbox” was the final name decided by marketing, but the console still retains some hints towards DirectX, most notably the “X”-shaped logo, which DirectX is famous for, along with the “X” shape on the top of the system.

125px-microsoft_xboxsvg.png

The Xbox BIOS was dumped a few months after release, and hacked, so it would skip digital signature checks and media flags, allowing unsigned code, Xbox games backups, etc., to be run. The modification can be done with a chip or by using a game save exploit : using select official game releases to load game saves that exploit buffer overflows in the save game handling.

Today the Xbox remains a popular device because thanks to the Xbox Media Center projet the Xbox can be turned into an advanced media center with a very nice gui.

Xbox 360

Microsoft’s Xbox 360 was released on November 22, 2005. A HD-DVD drive is available as an accessory. The Xbox 360 was the first console with the ability to use wireless controllers out of the box. The Xbox Live service is the hallmark of the system, and the console can connect to the service via the Internet through a built-in ethernet port or a wireless accessory.

xbox 3601

The microsoft nextgen console have a pretty thought security. Launching backuped game is possible by modifying the DVD firmware. The DVD security was broken soon after the release of the Xbox 360. Howerver the Xbox 360 has been totally broken only a few month ago. Being able to install an alternative OS requiers the use of a complex timing attack. The first chips that will allow to boot a custom code is not yet available on the market. Infectus team plans to release it soon.

xbox360 infectus chips

Note that even if backuped game can be used on the Xbox360, Microsoft is still able to detect it through the Live system. Numerous users reports to have been banned because of illegal use.

product_01.jpg

Sony

Sony Corporation is a Japanese multinational conglomerate corporation and one of the world’s largest media conglomerates with revenue of $70.303 billion (as of 2007) based in Minato, Tokyo.
In 1994 Sony launched the PlayStation (later PS one). This successful console was succeeded by the PlayStation 2 in 2000, itself succeeded by the PlayStation 3 in 2006. The PlayStation brand was extended to the portable games market in 2005 by the PlayStation Portable.

The PSP

The PlayStation Portable (officially abbreviated PSP) is a handheld game console released and manufactured by Sony Computer Entertainment. Its development was first announced during E3 2003, and it was officially unveiled on May 11, 2004 at a Sony press conference before E3 2004. The system was released in Japan on December 12, 2004, North America on March 24, 2005 and in the PAL region on September 1, 2005. It is the first handheld video game system to use an optical disc format (Universal Media Disc). Although Sony tried to push the UMD format for movies, major studios stopped supporting the format in the Spring of 2006. A new slimmer and lighter version of the PSP, appropriately titled Slim and Lite, was announced released in 2007.

psp1

The security of the PSP is considered as broken as it is possible to play backuped game and run homebrew. This is possible by using a modified firmware. As sony releases new firmware, the underground community create a modified firmware based on them. The last custom firmware is currently the 3.90 M33.

medium psp-ceramic-white

The Playstation 3

Sony’s PlayStation 3 was released, in Japan on November 11, 2006, in North America on November 17, 2006 and in Europe on March 23, 2007. All PlayStation 3s come with a hard drive and are ready to play Blu-ray Disc and games out of the box. The Playstation 3 was the first video game console to support HDMI out of the box, utilizing full 1080p. Controllers connect to the console through Bluetooth (up to 7) and have tilt-sensing capabilitie

ps31

Currently the PS3 security is undefeated. Many rumors are floating in the network, however most of them are pure fake. Even the “hello world” video is a fake. Currently the most credible one is the ability to launch a backuped game from the harddrive. The iso has to be patched. The only piece of software available currently is the NAND extractor (0.4).

ps3

Summary

Bypass method

Each console security have been bypass differently as visible in the following table.

Console Backup Game Hombrew Bypass technique Price Note
DS Yes Yes Hardware 30$ Use of a linker that is inserted instead of a real cardridge
Wii Yes Yes Hardware 35$ Use of a modchip. Software technique underway
Xbox Yes Yes Hardware/Software 31$ (modchip) Use a savegame exploit or modchip
Xbox 360 Yes No Software/Hardware 50$ estimated (modchip) Software for backup game. Hardware for homebrew (not yet available)
PSP Yes Yes Hardware/Software 25$ battery 20-70$ memory stick Need a pandora battery to switch to a custom firmware
PS3 No No N/A N/A Rumors of a backup game successful launch

The Xbox 360 security is currently the security that resisted the most (over 3 years). The Wii was breaken early. For the PS3 well the bet are open. Finally the PSP hack history is probably the most interesseting of all because many techniques were used until a “definitive” method was found (the pandora battery).

Backup Support

Beside the bypass method, an other key distinction between console is the storage media used for backup game.

Console Game size Backup support Reusable Multiple game Price Note
DS lite 64-256MO Cardrige / memory card Yes Yes 20$ (1GB) - 100$ (4GB) New linker uses standard removable memorycard such as microsd
Wii 4.7 or 7.9 GO DVD / DVD DL 9 GO No No 0.3$ / 2$ Most of the game fit in a standard dvd. However some need to be put on a Dual layer DVD
Xbox HDD / DVD 500Mo - 4.7Go (2Go average) Yes / No Yes / No Builtin / 0.3$ Game can be put in the HDD or on a DVD
Xbox 360 DVD +R DL (8Go) 7.9 No No 2.5$ game has to be on a DVD and every backup is 7.7GO
PSP Memory stick Pro 200mo - 1.8GO Yes Yes 20$-100$ Game must be launched from the memory stick. There is no writable UMD available. 1.8Go is the UMD DL limit.
PS3 HDD ? 25 GO NA NA NA ! Theoretical data ! Current iso are around 4.7 GO

Conclusion

Every console has its own protection scheme and bypass method. It is interesseting to see that nextgen consoles take longer to break than previous generation. The level of the hacker are also pretty impressive. For example the timing attack used against the Xbox 360 is very advanced and has required a treadmous effort.

« Older Entries