Tag Archive for 'iphone'

Apr 05

Iphone 1.1.3 1.1.4 jailbreaking/sim-unlocking how-to and FAQ

in Analysis and production and Hardware. Comments Printable version Printable version

As promise I get back to you about the Iphone jailbreaking and sim unlocking for firmeware 1.1.3 and 1.1.4. It is a good time do so because until the new firmware 2.0, it should stay that way.

First the big answer: Yes any iphone / ipod in firmware 1.1.4 can be jailbreaked and sim unlocked. Itn other words it means that any OTB iphone (out of the box) can be use on any network. You dont have to worry about the baseband as before because a hole has been found in the version 4.6.

The Walkthrough

The method involve using a soft called ziphone made by zibree. It is based on a vulnerability found by geohot and the old hole that exist in the baseband 3.9. I have use this soft on two iphones and it work perfectly.

Since a picture is said to worth thousands of word what about a video ? The above one, is a walktrought video for ziphone. I couldn’t have done better. It is very pro so thanks to richardlai for it.

The step by step guide

For those who need a step by steps guides here how to do so:

  1. Download ziphone.
  2. Download the last version of itune
  3. Download the firmware : iPhone1,1_1.1.4_4A102_Restore.ipsw (162 mo).
  4. Install Itune.
  5. Backup you data if you need to using itune.
  6. Use the restore button to install the firmware you have downloaded. To do so hold the shift key, when clicking on the restore button to have the opportunity to select a custom file.
  7. Wait until it is completed
  8. At this point your iphone ask for activation that is normal.
  9. Unzip ziphone.
  10. Launch ziphone.
  11. Ensure that the iphone is connected and visible in itune.
  12. Click on do it all
  13. Wait around 10 mn
  14. It is done. As you can see, you also have some additionnal software intalled
  15. If you want to add some additional software click on the blue icons on the bottom
  16. Restore your data if you have backuped them
  17. Congratulation

Frequently Asked Questions

Here is the answers to the most frequently asked question I get about the downgrade about the Iphone unlocking / jaibreaking. If you have more, shoot them in the comment section.

  1. First if you are not sure about the difference please read my previous post about iphone protection.
  2. Is the sim-unlock definitive? It depends of what you called definitive, geohot have reversed the technique used for simfree which is better than the previous one. Therefore now, the unlock will survive resets. However, if you change firmware the answer is no. Currently, the real activation method used by Apple can’t be used. We don’t know how to compute the unlock key.
  3. Why do have I to download the firmware from an alternative site ? Is it a modified version ? Well no its not however It prevent from bad surprise such as Apple doing a minor revision to patch the hole.
  4. Do itune need to be running : Yes it does, it use to transmit information to the iphone.
  5. Why do I need to do a restore ? Because if your iphone have been jailbreaked before the two methods might be in conflict. When you simply upgrade the firmware some data remains.
  6. How the sim unlock works for baseband 4.6. Well it does not work :) Your baseband is downgraded to the version 3.9
  7. Does a baseband 4.6 better than an 3.9 ? Well it does not appears to improve anything currently. Situation is likely to change for the 3G version which will certainly use a new baseband.
  8. Is the downgrade safe ? Well as any firmware manipulation is is reasonnably safe. No problem have been reported so far.
  9. Is it working for ipod touch ? Yes it is and you could install every applications that as the iphone.
  10. Why are you using an iphone as an ipod ? Well, I decided to buy an iphone as an ipod (I don’t use it as cellphone) for the following reasons : The hardware volume controle which is the key point for me, a better battery life, more options such as camera and bluetooth. Finally from an esthetic point of view, I prefere the iphone specially it back.

The technique behind the method

So how the new unlock is done ? What it does is boot an unsigned ramdisk with a script to jailbreak, activate, and unlock. This is possible because ramdisk are not signed by Apple.
Actually the bootloader installed by the upgrade is a modified version by geohot. It is called the gbootloader. It come with all the hard coded IPSF, full anywhere write access, no startup sig checks, and the bootrom locations blank. It work with the bootloader 3.9.

Conclusion

For firmware 2.0 it is likely that as the PSP, the iphone will use custom firmware. The technique is pretty much ready. It involve using a modified version of the Apple version firmware. An upcoming possible problem is the upcoming 3G version because it is likely that the 3G functionnality is not implemented in the baseband 3.9. So the current technique will not work. Time will tell, mean while have fun with you Iphone /Touch :)

Jan 20

Iphone communication attack surface

in Analysis and production. Comments Printable version Printable version

Ever wonder how you Iphone is potentially vulnerable to attack ? Does leaving the bluetooth on or the wifi on leak information ? Does jailbreaking the iphone have an impact (Hint: yes)?

To answers theses question, I have run a couple of test on every Iphone communication channel namely:

  1. Inbound Net (TCP) Connections
  2. Out bound Net Connections
  3. Bluetooth communication
  4. Synchronization communication

To be the most accurate possible, I have run these tests on two iphone. A 1.1.3 freshly upgraded iphone (The one on the left of the photo), and a jailbreaked 1.1.2 one (The one on the right).

2iphone

 

 

Inbound Net Connections

I used Nmap for testing what service are open on each devices. First a good point, they do not answer to ping probe, neither the standard icmp or the TCP ping used by Nmap.

Firmeware 1.1.3

Nmap return the folowing result for the 1.1.3 iphone. As you can see, on port is open (62078) and the device is accuratly detected as an iPhone or a touch.

62078/tcp open unknown
MAC Address: 00:1E:52:04:B0:E3 (Apple)
Device type: phone|media device
Running: Apple embedded
OS details: Apple iPhone mobile phone or iPod Touch audio player (Darwin 9.0.0d1)
Network Distance: 1 hop

Firmware 1.1.2

When Nmap is launched against the 1.1.2 jailbreakded iPhone, the following result is returned:

Not shown: 65507 closed ports, 26 filtered ports
PORT STATE SERVICE VERSION
22/tap open ssh?
62078/tap open unknown
MAC Address: 00:1C:B3:3E:00:2A (Apple)
Device type: phone|media device
Running: Apple embedded
OS details: Apple iPhone mobile phone or iPod Touch audio player (Darwin 9.0.0d1)
Network Distance: 1 hop

As you can see, an extra port is open (port 22) and 26 ports are announced as filtered. I am not sure why they are filtered. It might be my wireless network, the fact the iphone might have been turned off, or they are really filtered which seems unlikely. Other blogs report, random filtered port also.

As you can see, jailbreaking the iPhone open a port (used to upload software and execute command). This is not an issue because openSSH is used for secure access all around the world even on sensitive server. What is an issue, is people who jailbreak their iPhone and then leave the default password (”alpine” if you want to know). So either you turn off the ssh server (you have an applet for that) or you change the password. Brute force attack against iPhone ssh server is still possible but with the appropriate lengh it should be reasonnably secure to leave it on.

What about the mystery 62078 port ? Well, this a feature introduced by apple :) This port is used internally for sync purpose. This rise the following question: Since there is no wireless syncing why this port is open on the wirless interface ?

Outboud Net connections

Outbound connections are mostly done through Safari. Therefore, I looked at the headers sent by the Iphone will requesting a page to see what information are sended by the iphone. I did so by writing a little PHP script to analyze the posted variables.

iphone language

First, it is possible to know in which language your iphone is thanks to the HTTP_ACCEPT_LANGUAGE. There is a direct correlation between the iphone language and the HTTP_ACCEPT_LANGUAGE variable. When I switch my iphone to French the HTTP_ACCEPT_LANGUAGE change too.

Firmware version

Secondly, two variables where different between the two iphone. The USER-AGENT and the CACHE-CONTROL

Firmware 1.1.2 send this:

HTTP_USER_AGENT Mozilla/5.0 (iPhone; U; CPU like Mac OS X; fr) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/3B48b Safari/419.3

Firmware 1.1.3 send this:

HTTP_USER_AGENT Mozilla/5.0 (iPhone; U; CPU like Mac OS X; fr) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A93 Safari/419.3
HTTP_CACHE_CONTROL max-age=0

First of all, it is normal both iphone send a user-agent string that say they are indeed iphone. What bother me is the number behind the Mobile string (They are in bold). I guess they are firmware related because when I look at browser database there is only a limited number of iphone strings.

That may pose a security issue because it allows the target site to know if you are vulnerable to a certain type of attack or not. This is clearly not science fiction because as you may know the jailbreak technique is based on a flaw that affect safari. This flaw can also be used against you of course. Hence I don’t think that broadcasting firmware version is a good things. I dot see any situation where it can be useful.

Mail

Here the security is pretty strong. By default the communication for IMAP,POP and SMTP use encryption (SSL) by default.

Bluetooth

Last but clearly not least: The bluetooth stack. An often under look communication way, but many people leave it actually on.

First remark about it: It is hard to switch it on/off because it is buried on the general setting, so most people will likely let it on.

Edit (11 march): As pointed out by Paul in the comment the bluetooth switch from discoverable to hidden when you close the menu. Therefore my second remark was unjustifed.

Second remark, There is two way to have bluetooth on: either on and hidden or on and discoverable (other device can see you). In the iphone you have no choice, when it is on you are always discoverable. Here clearly simplicity was not a good idea.

For bluetooth analysis I used btcrawler. A bluetooth scanner for windows mobile made by c0rnholio’s. Sadly due to a german law, this soft is no longer available or updated (fortunately I still have a copy of it).

First of all, the two iphone does not see each other. That was expected.

Secondly when the iphone is discoverable, it is possible to scan it: Here is a screenshot of BTcrawler scan result when the bluetooth is turned on:

Screenshot 35

 

We clearly see that the first one is called “iLight” (1.1.2) and the other is called “Iphone de elie” (1.1.3). This is the exact name that you use to name your iphone.

More subtle both bluetooth address start with 001. I am not sure that there is a mac prefix for bluetooth device but It might be worth to checkout.

I went to a step further and scanned what service was available, by bluetooth.

Screenshot 47

There were many bluetooth services (that is expected), but I don’t know what the IrMCSyncService is for. Maybe Sync over bluetooth ? But as far as I know that is not possible ….

Having the bluetooth enable give too much information. Because it is constantly broadcasting information, it can be used to track you by the bluetooth mac. Moreover bluetooth attack exists, so that is definitely something to consider.

Sync port

This time, I hadn’t done all the tests my self (due to a lack of time) but it appears that sensitive information transferred between Itune and the iphone are encrypted using SSL. You can also see the sync from the inside by dumping packet on the local interface during the sync (remember the famous 62078).

Food for thought

This analysis is far from complete. Here are some point that I hadn’t check.

  • It might be possible that the iPhone “phone home” while getting online.
  • When accessing Itune store, some information such as unique id might be sent.
  • While accessing apple page, some additional data might be sent
  • Itune when downloading firm wire or synching the iphone might send data.
  • Why the bluetooth is always set to discoverable and have a sync service ?

As far as goes this analysis, I can say that Apple have cover pretty well the TCP/WIFI part of the iphone. For the bluetooth part and the user agent string I am more dubitative, I am not sure if it is intentional or if they run out of time before the release.

This quick study also gives clues that the wireless sync will come sooner or later: The 62078 port available on the wifi interface and the bluetooth service seems pretty intentionnal.

« Older Entries