blog.iphone-dev.org

Two steps forward...

… one step back.

Disclaimer!!  This is a purely technical post with no pragmatic use!  There is no 3G unlock in this post.  There is no iPod Touch 2G jailbreak in this post.  It’s just a random technical post related to the 3G unlock.

We’ve been exploring different ideas with the 3G unlock, but this past weekend one of us hit a big snag. For whatever reason, all of our poking and prodding of the 3G baseband caused it to finally have a breakdown.   After one specific exploit run, all of a sudden our baseband stopped responding to the OS.   Even after multiple restore attempts, we were plagued with errors like this:

Somehow our software hacking had caused the baseband chip’s SPI bus to stop responding (so it looked like a hardware problem).   Even though BBUpdaterExtreme reported the correct baseband version, it failed basic tests like memtest:

If you’re familiar with the baseband revision history for the 3G iPhone, you may have noticed that the above captures were done at the original 01.45 baseband.  As dire (and hardware-related) as these messages sounded, though, there was a simple solution.  We just updated to 01.46 and then downgraded again (because we can run unsigned code on the baseband CPU) to 01.45.

We tried to recreate the problem by using the same exploit over again, but it doesn’t appear to be reproducible (which is actually disappointing, as it might have been exploitable).

Anyway, there you go…a random, technical snapshot of dev team work.

Timber!!!

While we continue working on the two current remaining challenges from Apple (the iPhone 3G soft unlock and iPod Touch 2G jailbreak…see the end of this post), we’re also watching the latest beta releases from Apple.

The first beta 2.2 from Apple reveals a few things:

1. They’re continuing with their ski-resort theme;  Version 2.2 is nicknamed TImberline.  
2. They’ve gone back to using expiry dates.  The first 2.2 beta is due to expire on November 30, 2008.  They stopped using expiry dates about halfway through the 2.1 betas, but for some reason they’ve started using them again.
3. Version 2.2 is still vulnerable to pwnage and quickpwn on everything but iPod Touch 2G.

To demonstrate point #3, here’s the non-AppStore application Terminal.app running on 2.2, showing the kernel build information.

Hardware already vulnerable to pwnage remains vulnerable in version 2.2.

Regarding the two current challenges:  the 3G iPhone soft unlock and iPod Touch 2G jailbreak are still relatively new challenges (compare them with the timeframe of the iPhone challenges last year).  We’re making slow advances on both fronts, but it’s not the sort of thing that can be easily described in a blog like this.  

But, to maybe show how interlinked these challenges are, this weekend we’ll be trying some hardware based ideas on the iPod Touch 2G jailbreak :)

Redmond, we have a Pwnapple!

Window QuickPwn 2.1

Supports 2.1 firmware with the unlocking and jailbreaking of iPhone 1st generation (2G) device. Supports the jailbreaking of iPod Touch 1st generation device and iPhone 3G. Your device will need to be upgraded to 2.1 (using iTunes 8) before running this application.

• It does NOT support the unlocking of iPhone 3G 
• It does NOT support the jailbreaking of second generation iPod Touch introduced last week

• Windows QuickPwn 2.1 - Torrent here
• (SHA1) QuickPwn21-1.zip = f8124d0e8f31f64ef3272de8fbc679e1dd1f93a7

You will need to know how to use bittorrent to download this file.

Mirror owners should email blog@iphone-dev.com with direct hosted zipfile links (with the correct MIME type). RapidShare or other file distribution services are not needed thanks. Links will be added to this post soon.

Mirrors

• http://www.technoh.net/forums/Downloads/QuickPwn/QuickPwn21-1.zip
• http://www.fidunderground.com/wp-content/QuickPwn21-1.zip
• http://i.omerc.net/QuickPwn21-1.zip
• http://download.s1.christophertran.net/devteam/quickpwn/2.1/QuickPwn21-1.zip

U Can't Touch This.

“U Can’t Touch This” were the words of the great MC Hammer in 1990, but we just couldn’t wait to “touch it” as soon as the new slinky wafer-thin iPod was unveiled by Father Jobs a week ago.

We are especially eager to experiment with this device because the n72ap in the new iPod Touch 2G may give us insight into upcoming iPhones.

So a few hours ago the large truck backed into the DevTeam warehouse where the crate of iPod touché devices were dropped off and we started the very earliest stages of investigation (which means fun!) ;-)

We won’t have more to say unless there’s more to say. Hammertime!

PwnageTool and QuickPwn for 2.1 Firmware

Some of the popular press and blogs have been backing the opposition. :-)

While criticism and competition is fine it should be reported correctly, with all the facts and certainly minus the FUD. Do you guys think we are “less and less relevant with each passing day” ?   We don’t think so, and we certainly prefer our hacks to theirs.

Though even if the world deems us irrelevant, the iPhone family of devices is still fun to hack!  

By the way we figured out a way to combat iTunes 8 without patches…and we’re waiting to see what Apple tries next.  But we think they might want to rethink their priorities.  They probably won’t though, and so we get back to the “cat and mouse” game between Apple and the Dev Team and other third-party communities.

Here are the new versions of PwnageTool and QuickPwn that support the 2.1 firmware.  And as we just mentioned, iTunes was not harmed in the process ;-) no patching was required.

This does not address the new iPod Touch 2G device released this week.  Partly because none of us even have one yet :)

• PwnageTool 2.1 for Mac OS X via Bittorent - download here
• QuickPwn 1.1 for Mac OS X via Bittorrent - download here

SHA1 Sums:-

• PwnageTool_2.1.dmg = 0b2dcb51e224b12590793e8a758dd80c450e5b64
• QuickPwn_1.1.dmg = 92487230c66296ec1e414260b5f107e5d351923f

PLEASE NOTE: COPY THE APPLICATION TO YOUR APPLICATIONS FOLDER OR DESKTOP BEFORE RUNNING. RUNNING DIRECTLY FROM THE DISK IMAGE WILL CAUSE ERRONEOUS BEHAVIOR (such as missing bootloader files and other oddities).

We’ve released using BitTorrent to lighten the load of the initial downloads, then we’ll add a direct link and Sparkle update when we can. If you don’t know how to use BitTorrent, then hold off for a while. 

Mirrors

The following links are unofficial download mirrors, you download these at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet, or even worse if your hands fall off mid-way during the use of these archives. Always check the published SHA1 sums. We would prefer that you downloaded the official bittorrent release above, but you are welcome to try these if you really must.

Direct Downloads - QuickPwn

• http://www.eltonno.eu/QuickPwn_1.1.dmg
• http://69.73.148.215/~evasive/downloads/QuickPwn_1.1.dmg

Direct Downloads - PwnageTool

• http://www.eltonno.eu/PwnageTool_2.1.dmg
• http://alekserviz.com/adamov/PwnageTool2.1Mac/PwnageTool_2.1.dmg
• http://rs402.rapidshare.com/files/144960584/PwnageTool_2.1.dmg
• http://69.73.148.215/~evasive/downloads/PwnageTool_2.1.dmg

Important update Hmm well Thomas Ricker has put our fate in your hands. Please vote in his poll! 
Should we press on? Or just throw in the towel?  Do “rogue” applications like Cycorder, NES.app (and the other console emulators) — and all the other applications that Apple won’t approve — matter?  That includes unlocking :)

QuickPwn - fake sites

We would just like to point out that that there are lots of fake sites using the QuickPwn name, these muppets don’t know anything special, and they don’t have anything unique. They are vultures that sit on the domain names and plagiarize content and information in the hope that you donate to them, or click the google ads. 

As we’ve mentioned before we don’t accept donations and we certainly don’t allow ads on our site, anyone who asks for donations in our name is lying, end of story.

So we would recommend that you stay away from badly designed chaotic sites (especially ones of a monochrome variety) that capitalize on the name of our tools.

Spammers should also watch out (even if they are part of the extended iPhone community). Like any decent blog we do not moderate our comments, we let the criticism flow alongside the praise but we certainly do filter on spamwords and then decide if they get posted. Play nice people, spamming just isn’t cool.

Now of course all that stuff isn’t cool, but be prepared for some stuff from us today that is cool.

Countermeasures

If you’ve been following the technical aspects of our blog since July, you may have noticed that we’ve asserted multiple times that Apple can’t fix the bug we’ve exploited in PwnageTool unless they fix their hardware.

That hardware fact is still true.  But one way they can try to combat Pwnage for existing hardware is to program iTunes to detect and prevent the Pwnage exploit.  In fact, they’ve already done that in iTunes 8.  The screenshot below from iTunes 8 using a Pwned ipsw (with an unPwned device attached) is one example.

The nice thing about iTunes decisions is that we can provide you with patches to counter them.  We have one such patch already for Mac iTunes 8 for iPod touch.  We’ll be working out the full suite of patches for all the combinations over the next week.

Here are 2 screenshots that Apple doesn’t want you to see.  Notice the Terminal icon at the end of:

Then once we’ve launched it, despite mobiledevice’s best intentions:

iPhoff '08

Q: What do a bunch of Slavic speaking iPhone geeks do at the end of the summer to get some R&R, brainstorm and make sure they get the maximum amount of sunshine possible?

A: They go to beautiful Varvara in Bulgaria of course! they talk iPhones, drink vodka and super strong rakia, then party late into the night :-)

iPhoff ‘08 was the first meeting of the Bulgarian iPhone fans where a few DevTeam members held honorary guest positions.

Lots of interesting chat took place, and by the second bottle of rakia iPhones became building blocks, ashtrays, cigarette lighters and various things they were not made for :) Don’t worry about the iPhones most of these guys needed an excuse to buy 3G handsets anyhow ;)

Extra special thanks to Атанас Чобанов for being an excellent host and looking after our guys.

i can haz 3G?

A DevTeam member by-proxy “Duchess” was so upset with the lack of 3G unlock she went around and bought up all the available SIM-free 3G handsets in her town. Wow, her gold-card must have been manxed out that day. All this spending is tab-be expected from such a girl. Previously it has been suggested  that all the time we spend geeking out, we’d have no time for pussy, well you were wrong. 

NB: This is NOT any cryptic update on 3G unlock progress, just a cool photo from one of our members,  so conspiracy theorists please replace your tin-foil hats ;) We are still working on the 3G unlock as hard as we can.

One happy Pwnage advocate

Here’s one happy Pwnage advocate.  Anyone know who he is?  :)

Update: By the way, Woz is no stranger to iPhone Dev Team hacks.  Some of you may remember his visiting the Dev Team’s ridiculously easy 1.1.1 jailbreak that required absolutely no PC or Mac at all…just a web page visit to http://jailbreakme.com

That was done on Kathy Griffin’s actual show:  http://www.viddler.com/explore/engadget/videos/23/

QuickPwn - Mac

Here is the long awaited “QuickPwn” for Mac OS X. You’ll see a similarity to the user-interface of PwnageTool, this is because of the great feedback we’ve had since we moved to that interface with PwnageTool 2.x. 

QuickPwn is not a replacement for PwnageTool, they are different tools and provide different features, QuickPwn is for quickly pwning a device, whereas PwnageTool is designed to custom build and tailor the ipsw production process, both tools will be actively developed in the future.

To use QuickPwn 1.0 Mac OS X your device should be running 2.0.2, if it isn’t then you can upgrade it to 2.0.2 using iTunes and then use the QuickPwn tool, we repeat, it’ll only work on version 2.0.2 of the iPhone or iPod touch firmware. 

If you don’t want specific things to happen such as baseband updates then PwnageTool should be used to create a custom .ipsw with your specifics.

Here is the official torrent for the release, we are seeding it on a few different servers so it should be well seeded already, but we think it’ll be a popular download, so we thought we’d use bittorrent as some of you were not too happy about 2kb/s downloads :)

If you are not comfortable using bittorrent, come back in 12 hours and we’ll post a direct link on our server (when the initial rush has died down a bit!)

Remember, don’t use “The Unarchiver” to decompress the .tbz file that you download with bittorrent, use “Archive Utility” that ships with OS X.

SHA1 sums

QuickPwn_1.0.0.tbz (via torrent) = 22ee0d6814a6bac9b1b9a8c7715dd714bd6bb449

DevTeam at DefCon

The iPhone Dev Team was nicely represented at the most recent DefCon in Las Vegas,  bushing, MuscleNerd, and 2 other unnamed members were there soaking up the info. At one of the nite parties we got a Cycorder capture of the GRL’s awesome laser tag system, this uses a DLP projector to project an image that is drawn in real time from the motion capture of the point produced by a high-power green laser, check out the message.

DefCon from iphonedev on Vimeo.

If you’d like to see more of the GRL laser tag system, there is a great video of them bombing El Corte Inglés and other high-profile locations in Barcelona. 

We’ve also got some nice video of Woz, doing some cool stuff (well we think it is cool) but we’re just need to make sure it’s ok to show and that names are changed to protect the innocent :)

Interesting stuff..

Swatting...

We’ve had some issues with iPod touch devices and the latest version of PwnageTool for the Mac, in certain conditions incorrect permissions will be used and the keychain doesn’t save passwords. So hold on and wait for the next release, we’ll push out the updated version via Sparkle as soon as it is tested (it is being tested right now). We have also encountered some issues with the Windows Beta of QuickPwn, and we have an update that should fix the issues seen with 64-bit Windows versions and should be able to be used with all versions of Windows, but as with all beta software other bugs may be present.

UPDATE: New Windows QuickPwn Release Candidate (RC3)

UPDATE: Sparkle update for PwnageTool (Mac) being pushed out now! Direct link here 

NB: Only use the .tbz file that is distributed by us. the SHA1 sum for  PwnageTool_2.0.3.1.tbz is a3faf5c074d5556a40ce4c7678a51995b5767073

Happy Update Day!

PwnageTool 2.0.3 is available. This version provides support for iPhone/iPod firmware 2.0.2 5C1, it has an updated Installer.app beta (b6) and contains a new .de localization for our large amount of German friends. The application SHOULD ONLY be downloaded as a .tbz file from our servers and should NOT be decompressed using the application called “the unarchiver” (this breaks permissions within PwnageTool) just use the standard OS X built in ‘Archive Utility’ to decompress. The SHA1 sum of PwnageTool_2.0.3.tbz is 91e670e0c623cd43f5e8cfbfaae6c23d98d8f31b

Also released today is the ‘150’ beta update to the Windows QuickPwn application, this contains a revised GUI from Poorlad that has tighter integration into the the main updated QuickPwn executable which has fixes for YouTube and  provides BootNeuter support for the unlock of 2G iPhones, remember this is still beta software, use at your own risk. The updated tool is available for download here NB: QuickPwn Windows doesn’t work well with virtualization as there are some problems with the way USB resets are handled, so we wouldn’t advise trying it, we have had reports of some success with VMWare Fusion 2.0 Beta 2, but this shouldn’t be relied on, use PwnageTool instead, or wait for QuickPwn Mac.

QuickPwn for Mac is being tested right now by a group of testers and we’ll release this when it is ready for public beta (this won’t be within the next 24 hours, but should be within the next week).

There are no significant updates with regard to the 3G baseband unlock, most of us have been busy with real life, when we get any further we’ll let you know.