Tag Archive for 'jailbreak'

Apr 05

Iphone 1.1.3 1.1.4 jailbreaking/sim-unlocking how-to and FAQ

in Analysis and production and Hardware. Comments Printable version Printable version

As promise I get back to you about the Iphone jailbreaking and sim unlocking for firmeware 1.1.3 and 1.1.4. It is a good time do so because until the new firmware 2.0, it should stay that way.

First the big answer: Yes any iphone / ipod in firmware 1.1.4 can be jailbreaked and sim unlocked. Itn other words it means that any OTB iphone (out of the box) can be use on any network. You dont have to worry about the baseband as before because a hole has been found in the version 4.6.

The Walkthrough

The method involve using a soft called ziphone made by zibree. It is based on a vulnerability found by geohot and the old hole that exist in the baseband 3.9. I have use this soft on two iphones and it work perfectly.

Since a picture is said to worth thousands of word what about a video ? The above one, is a walktrought video for ziphone. I couldn’t have done better. It is very pro so thanks to richardlai for it.

The step by step guide

For those who need a step by steps guides here how to do so:

  1. Download ziphone.
  2. Download the last version of itune
  3. Download the firmware : iPhone1,1_1.1.4_4A102_Restore.ipsw (162 mo).
  4. Install Itune.
  5. Backup you data if you need to using itune.
  6. Use the restore button to install the firmware you have downloaded. To do so hold the shift key, when clicking on the restore button to have the opportunity to select a custom file.
  7. Wait until it is completed
  8. At this point your iphone ask for activation that is normal.
  9. Unzip ziphone.
  10. Launch ziphone.
  11. Ensure that the iphone is connected and visible in itune.
  12. Click on do it all
  13. Wait around 10 mn
  14. It is done. As you can see, you also have some additionnal software intalled
  15. If you want to add some additional software click on the blue icons on the bottom
  16. Restore your data if you have backuped them
  17. Congratulation

Frequently Asked Questions

Here is the answers to the most frequently asked question I get about the downgrade about the Iphone unlocking / jaibreaking. If you have more, shoot them in the comment section.

  1. First if you are not sure about the difference please read my previous post about iphone protection.
  2. Is the sim-unlock definitive? It depends of what you called definitive, geohot have reversed the technique used for simfree which is better than the previous one. Therefore now, the unlock will survive resets. However, if you change firmware the answer is no. Currently, the real activation method used by Apple can’t be used. We don’t know how to compute the unlock key.
  3. Why do have I to download the firmware from an alternative site ? Is it a modified version ? Well no its not however It prevent from bad surprise such as Apple doing a minor revision to patch the hole.
  4. Do itune need to be running : Yes it does, it use to transmit information to the iphone.
  5. Why do I need to do a restore ? Because if your iphone have been jailbreaked before the two methods might be in conflict. When you simply upgrade the firmware some data remains.
  6. How the sim unlock works for baseband 4.6. Well it does not work :) Your baseband is downgraded to the version 3.9
  7. Does a baseband 4.6 better than an 3.9 ? Well it does not appears to improve anything currently. Situation is likely to change for the 3G version which will certainly use a new baseband.
  8. Is the downgrade safe ? Well as any firmware manipulation is is reasonnably safe. No problem have been reported so far.
  9. Is it working for ipod touch ? Yes it is and you could install every applications that as the iphone.
  10. Why are you using an iphone as an ipod ? Well, I decided to buy an iphone as an ipod (I don’t use it as cellphone) for the following reasons : The hardware volume controle which is the key point for me, a better battery life, more options such as camera and bluetooth. Finally from an esthetic point of view, I prefere the iphone specially it back.

The technique behind the method

So how the new unlock is done ? What it does is boot an unsigned ramdisk with a script to jailbreak, activate, and unlock. This is possible because ramdisk are not signed by Apple.
Actually the bootloader installed by the upgrade is a modified version by geohot. It is called the gbootloader. It come with all the hard coded IPSF, full anywhere write access, no startup sig checks, and the bootrom locations blank. It work with the bootloader 3.9.

Conclusion

For firmware 2.0 it is likely that as the PSP, the iphone will use custom firmware. The technique is pretty much ready. It involve using a modified version of the Apple version firmware. An upcoming possible problem is the upcoming 3G version because it is likely that the 3G functionnality is not implemented in the baseband 3.9. So the current technique will not work. Time will tell, mean while have fun with you Iphone /Touch :)

Dec 05

Iphone protection scheme analysis

in Hardware and Security. 12 Comments Printable version Printable version

With the big buzz around this device, many articles and tutorials have been written on how to “hack” them. In this post I will try to give you an insight of the Iphone is protected and how theses security are bypassed.

The Iphone protection aim at two things

  1. Enforcing mobile contract subscription
  2. Preventing third party application installation

The first goal of protection has obvious reasons. While the second it is a little bit harder to understand. Of course I do not know for sure but here are some possible reasons to prevent third party application:

  • Making the reverse engineering of the Iphone harder
  • Limit the attack surface of the Iphone
  • Control the distinction between the Ipod touch and the Iphone
  • Try to enforce mobile contract subscription because indeed “unsimlocking” the Iphone requires to run a third party soft on the Iphone

Iphone software
Before getting more into protection details, lets first take a closer look at the different pieces of software used in the Iphone. You have three important pieces:

  1. The firmware
  2. The Baseband
  3. The Bootloader

The firmware is the OS (OSX) and the applications that run on the Iphone. A new firmware is released to correct bugs or add functionalities.

Three majors versions of the firmware are available currently the 1.0.2, 1.1.1, 1.1.2. Here I would like to emphases an important point: contrarily to what it is written in many blog, the ability to bypass Iphone protection is not related to the firmware version but to the Bootloader version.

The bootloader is the piece of software responsible of loading the firmware. It is a kind of BIOS if you want. There is two different version of the bootloader : the 3.9 and the 4.6. To make it simple if your Iphone have a bootloader version 3.9 then every protection can be fully bypass by software. If it has a 4.6 version then the jailbreak is possible but not the software sim unlock. However it is only a question of time before the 4.6 is reversed and can be patched. Moreover hardware techniques are still available for simunlock as we will see.

Every phone sold with the firmware 1.1.1 and above use a bootloader 3.9. It is admitted that the bootloader have been switch to the 4.6 between the week 43 to 44. Hence every Iphone with 1.1.2 firmware use the 4.6 version. This include European Iphone (de, en, fr …) and new US Iphone.

The last important piece of software is the baseband. The baseband is the software used to control the modem. Hence this is the software responsible for telephony part of the Iphone. The bootloader is also used to make the firmware work with the baseband software.

Protection Scheme

The protection scheme is based on three distinct mechanisms:

  1. The activation
  2. The jail
  3. The simlock

Activation
The first protection mechanism is the activation. When you start the Iphone for the first time, it ask you to connect to Itune (see the photo below). This protection is meant to prevent using the iphone before the operator subscription is complete. However as you can notice, on the bottom of the photo, it is still possible to make emergency call. This functionality is used to by pass the protection by accessing the contact list. Once in the contact list, the url of the website is entered as a new contact. Then this newly created contact is used to launch safari and access the site that exploit the Tiff vulnerability to jailbreak and activate the iphone. Note that the vulnerability have been patched in firmware 1.1.2 but we will go back to this later. Amusingly, One of the first vulnerability used to hack the PSP was also this exploit :) (who ever said that people learn from the past ?). Once activated every functionalities are available except the telephony part. At this point the iphone is a super ipod touch. One of the possible site that can be used for this is jailbreakme

activation

To be more precise, the iphone detect if the activation is done because it check for the lockdownd file. Nowaday every activation method should create a correct lockdownd file and the activation should be upgrade / downgrade proof (However, I haven’t test this point my self).

Jailbreak
The second protection mechanism is called the “jailbreak”. It is called like this because by default it is not possible to install third party software on the iphone. More technically the jail consist of two things :

  1. The Operating system file system is mounted as read only: you can’t write on it.
  2. There is no way to upload a file in the iphone. Itune don’t allow you to do so and safari refuse to download files.

Hence the Tiff vulnerability mentioned above is used to remount the file system in read write so application can be written and to open a communication channel that is used to install the first third party software that act as third party application downloader and installer. The standard one is appTapp installer 3 (see the screenshot below).

installpic2

 

Once the iphone is activated and jailbreaked, it is like a super ipod touch with custom apps and theme as show in the screen shots above. Note that because the file system is now in a writable it make the iphone more vulnerable: It is now possible to erase or tamper files.

iphone-summerboard-touchthemeimg9000oh6

As I said earlier, the Tiff exploit is only available on firmware 1.1.1 and below so how does it work for firmware 1.1.2 and above ? well the idea is pretty simple: the iphone is upgraded to the desired firmware (1.1.2 for example) and then using the recovery mode it is downgraded to the 1.1.1 firmware for activation and jailbreaking purpose thanks to the tiff vulnerability. This is possible because downgrading the firmware does not downgrade the baseband (the software used to control the modem). Once the jailbreak is effective a software is installed to ensure that a second upgrade to the desired firmware does not remove the jailbreak.

That is why jailbreaking is possible even on 4.6 bootloader iphone such as European one. It is also why I said that the ability to by pass iphone protection is not related to the iphone firmware because it is possible to downgrade to 1.1.1. Successful jailbreak of orange iphone have been reported. In this particular case, the activation is done thanks to the orange sim card. A technical point here is to ensure that the iphone have a sim card without a pin code during the upgrade - downgrade - upgrade process.

The software used to perform the jailbreak are sally ibrickr and idemocracy:

ibrick Jailbreak-Official

 

Simlock
The last protection mechanism is used to ensure that the iphone is only used in the legitimate operator network. It is the standard simlock scheme used in every phone. You get a discount on the phone because you subscribe for at least X month. Here European people need to understand that the sale of the iphone differs in US in one key point: you do not subscribe a contract when you buy the iphone. The subscription is done via iTune at home. This mean that you can go to a store, buy an iphone and never subscribe. The only things that prevent people to do so is the protection scheme that I describe here. This particularity and the ability to bypass the protection scheme explain why the Iphone black market is so active. This is of course amplified by the euro dollar exchange rate. Tonight, you can by 1787 iphone on ebay.

ebay

There is four methods to bypass this last protection. The two hardware techniques are commonly used on other cellphones.

The SuperSim: You buy a programmable SIM, clone your sim and add infos on it to make the iphone believe that this is a legitmate AT&T sim card.

sim

The TurboSIM : The TurboSIM is a passcard that is placed between your simcard and the phone. As you can see in the photo below, you need to cut your sim to make it work.

Turbo sim1 300

The Geohot method. This method involve to open the iphone to be able to write directly the firmware. Because this method requiers to open and modify the iphone physically it is highly risky and have been abandoned.

Finally the most common method is the software method. I am aware of at least two different methods to accomplish the unlock but there maybe other. The first one first work by patching the baseband to update the lockstate tables to unlocked, and removes the utoken check. This method have been replaced by the second one it is however the closest method to a “true” unlock because the lockstate tables are set to unlocked. The second method involves to patch out the carrier check in the modem firmware. It is more reversible. These two methods work only with the bootloader 3.9 because they are based on a flaw that as been corrected in the 4.6. That is why iphone security bypass are related to bootloader version and not firmware one.

anysim-iphone

If you have read until here (thank by the way), you probably have realized that most of the tutorial floating in the web to have an unsimlocked 1.1.2 iphone have un-necessary steps. Indeed this is true. If you have a 1.1.1 unlocked iphone the upgrade procedure is totally straightforward if you have a simcard with no pin code:

  1. Install the oktoprep software that will maintain the jailbreak during the upgrade process (not totally accurate here but it give you the idea)
  2. Upgrade the firmware to 1.1.2 with iTune
  3. Use jailbreaker 1.1.2 to re-activate and re-jaibreak the iphone thanks to the oktorep software
  4. Repatch the bootloader with Anysim 1.2.1u. Dont forget that the BSD subsystem need to be installed and that the flight mode should be activated during the unsimlock.
  5. You are done

That’s really all, no extra steps are requiered and the cycle upgrade / downgrade cycle is totally useless. I have test it myself it work and this is a good thing because it is consistent with the rest of the post :)
Let me now explains why I believe that it is only a question of time before iphone with 4.6 bootloader will be broken. This is clearly the most technical part of the post so if you might want to skip it. So far unlocks have relied on 3.9 Bootloader bugs that have been fixed in the 4.6 bootloader. First a hardware unlocking will be possible when the new firmware (1.1.3) will be unleashed. It will be possible because the secpack will be updated. Secondly a baseband exploit in the 4.6 have been reported. While highly difficult to exploit, G. Hotz believe that it is possible. This is confirmed by the fact that the DEV-team work on a simunlock solution for the 1.1.2 firmware for 4.6 bootloader. It will work with a IPSF zeroed-token RSA hack. This method will have the advantage to persists through updates and restores.

I conclude this already to long post by giving three remarks on the relation between the 4.6 and 3.9 bootloader.

First why Apple didn’t upgrade the bootloader in the 1.1.2 firmware ? Well, during the upgrade from 1.0.2 to 1.1.1 the bootloader was updated. In consequence many AT&T customers broke their iphone. Hence the cost associated with the upgrade might prohibitive for Apple. It will simply cost to much support.

Secondly for the same reason, downgrading the firmware is unlikely: beside all the technical problem, it is too risky.

Thirdly, even if the bootloader is updated the war is far for being over. The baseband code is way more large than the bootloader and until now no vulnerability have been discover in it. However it is a really good candidate.

I hope that this post have interested you. Feel free to comment it or share it. Next post will be on the notion of attack surface.

« Older Entries