Dev-Team Blog

Ultrasn0w update

Mon, 09 Nov 2009 23:59:00 +0300

Today we released an ultrasn0w update that fixes an issue for those running firmware 3.1.x with the 04.26 baseband. That specific combination resulted in a missing carrier name in the upper left-hand corner of your home screen. Today’s ultrasn0w update from 0.91 to 0.92 fixes that problem (which was an important issue for roaming). You should see the update available if you have http://repo666.ultrasn0w.com as a Cydia source. Enjoy!

Baseband reprieve

Tue, 03 Nov 2009 20:51:00 +0300

iPhone 3G/3GS owners who found themselves stuck with version 05.11 of the baseband (either by accident or because they bought it that way) are now in luck! geohot was able to turn the already-public at+xemn crash into an injection vector, which can be used to inject his version of the unlock. The blacksn0w unlock is available for free via Cydia by adding the repository http://blackra1n.com in the Manage->Sources panel. Congratulations, geohot!

Those of you who are already unlocked at 3.1.2 because you kept your 04.26 baseband now have an extra cushion of comfort, and more choices: ultrasn0w, purplesn0w, and now blacksn0w (and of course the original yellowsn0w too if you’re still back at FW 2.x). Whether or not you choose to update your baseband solely to use the new unlock is a personal choice, but so far there are no advantages to doing so (and remember you can’t come back to 04.26 after you’ve gone to 05.11).

As with all the unlocks, it will probably very soon be re-sold through scam sites that charge you money for what is offered to the community for free. Please stay vigilant for these scam sites and steer your friends away from them.

Update: Some commenters are reporting a lingering problem with WiFi while using blacksn0w. Some are able to solve it with a single “Reset Network Settings” but others say they need to do that periodically. So far there seems to be no pattern to those affected or the best way to fix it.

Happy Pwnkin Day

Sun, 01 Nov 2009 03:53:00 +0300

No, this is not a release post! Just wanted to wish iPhone and iPod touch users everywhere a Happy Halloween!

This next one obviously isn’t a pumpkin but who can pass up on laser art by marcan!

If you have an iPhone or Apple related pumpkin photo you’d like to share, send it on in to blog@iphone-dev.org or tweet it to MuscleNerd :) The first pumpkin with our dev team pwnapple logo is MuscleNerd’s and for credit on the others, just click on them.

Pwnage Pie

Tue, 13 Oct 2009 11:44:00 +0400

Here are some details on our latest version of PwnageTool 3.1.4 for Mac OS X which supports the 3.1.2 release of the iPhone software for iPhone 2G/3G/3GS and iPod Touch 1G/2G.

If you’re already jailbroken (by whatever means), you don’t need to mess around with DFU mode at all. Just create (or get from a friend) your custom IPSW and Option-Restore (Shift-Restore on Windows) to it via iTunes. Don’t enter DFU mode at all. Please make sure you are restoring to the custom IPSW, not the stock one from Apple! For best results, use the latest iTunes (9.0.1) — which includes a nice new application organizer.

This release allows your baseband to remain unlocked at 3.1.2, but it does not unlock a new baseband put there by restoring to official 3.1.x. It is super important that people who need the unlock to understand they can keep it only by starting at 3.0 (or earlier) and updating solely to custom IPSWs that don’t update the baseband. For those who have been onboard the “unlock train”, simply install ultrasn0w via Cydia once you’ve restored to your custom IPSW. Don’t forget to turn off the “3G” setting in Settings->General->Network if you use T-Mobile in the U.S.A.

Note for 3GS users not already jailbroken and stuck at 3.1.x: this version of PwnageTool has a side feature to jailbreak your 3GS. It uses a simple implementation of the usb control msg hole found by chronicdev, geohot, and our very own gray. (Update: please make sure iTunes and iTunesHelper are not running when PwnageTool asks you if your 3GS is already jailbroken/pwned). Now that the hole is public and in use, we expect Apple to close it by the next major firmware update. That’s why 3GS users need to get their ECID hashes for 3.1.x now, and need to stay onboard the “jailbreak train” in all future updates. For more details on what this means, please see our earlier posts or ask in our comments section (moderated by the always helpful @angie and @confucious!).

For the early adopters who ran blackra1n and are having problems with mobilesubstrate, winterboard, diskaid, or ifunbox, you can install a custom .ipsw from PwnageTool to fix these issues. That’s because all jailbroken devices accept a custom .ipsw created by PwnageTool. (However, if you ran blackra1n on a 3G or 3GS that means you updated to stock 3.1.x, and the carrier unlock is now out of reach. We’ll continue to work on a carrier unlock for the latest basebands, but the timeframe for such an unlock is unknowable.)

Note: If you use internet tethering on a carrier that doesn’t officially support it, you’ll lose it by going to 3.1.x. Stay back at 3.0 until a hack for that is developed.

SUMMARY:

The iPhone 3GS is now supported out of the box in PwnageTool 3.1.4 (or if you have upgraded to 3.1.x in iTunes)
The iPod 2G is still supported in PwnageTool 3.1.4 but you must already be jailbroken (we’ll update this if there’s a big demand from non-jailbroken ipt2G owners)
The iPod touch 3G is NOT supported

DETAILS:

GOLDEN RULE: If you are using a iPhone 3G or iPhone 3G(S) with ultrasn0w and rely on ultrasn0w to obtain cellular service then you should only update your device with an .ipsw that is made with the new PwnageTool. There are no second chances with this. You need to remember that PwnageTool will provide an upgrade path to newer versions of the iPhone software in the future.
Please read all parts of this post before downloading and using these tools.
Read items 1, 2 and 3 again and again.
At the bottom of this post are the bittorrent files for the 3.1.4 capable version of PwnageTool.
PwnageTool will work for the iPhone 3GS
PwnageTool will work for the iPod touch 2G
PwnageTool WILL work for Original iPhone (1st Generation), the iPhone 3G and iPhone 3G(S) and the iPod touch (1st Generation and 2nd Generation) but NOT the iPod touch 3rd generation.
For 3G and 3G(S) users who are Pwned, PwnageTool is your key to updating in the future, just remember to never install an update directly from Apple, always use an .ipsw that has been created with PwnageTool.
There is no Windows version of PwnageTool yet. It is currently a Mac OS X tool only. Custom IPSWs created on a Mac can be used on a Windows machine too.

What’s a Baseband?

Think of it like a cable modem or other peripheral that is attached to your home PC that needs occasional updates. When a software update is released and presented to you within iTunes the baseband is sometimes updated (to fix bugs or add new features).

The 3.1.2 update for the iPhone 3G and 3GS contains such an update, so running the vanilla updater straight away with iTunes will reprogram and update the baseband.

WHICH DEVICE DO I HAVE?

Read the description to identify your device, once you have correctly identified your device follow the specific instructions for that device as listed below.

SIM Free/SP Unlocked/Factory Unlocked iPhone 3G(S)

This applies if you bought your iPhone 3G(S) for $$$$$$$. This model of iPhone 3G(S) doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, you can use PwnageTool to create an ipsw and then use this to update and jailbreak your phone.

SIM Free/SP Unlocked/Factory Unlocked iPhone 3G

This applies if you bought your iPhone 3G for $$$$$$$. This model of iPhone 3G doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, you can use PwnageTool to create a 3.1.ipsw and then use this to with iTunes to upgrade and jailbreak your phone.

iPhone 3G

Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw

iPhone 3G(S)

Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw

iPhone 2G (1st Generation)

Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw ‘nuff said, you don’t need to worry about anything, the baseband will be unlocked, the phone jailbroken.

iPod Touch 1G (Original iPod Touch)

Use PwnageTool to create a firmware image and restore with that .ipsw using iTunes.

iPod Touch 2G

Use PwnageTool to create a firmware image and restore with that .ipsw to your already jailbroken device using iTunes.

iPod Touch 3G

At this time PwnageTool does not support this device.

Official Bittorrent Releases -

PwnageTool 3.14 Torrent

PwnageTool_3.1.4.dmg.5122330.TPB.torrent

SHA1(PwnageTool_3.1.4.dmg.5122330.TPB.torrent)= d9d44258ade35623ec71e83520943b6f4baa568a

Unofficial Mirrors

The following links are unofficial download mirrors, you download these at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links or archives and we accept no responsibility with regard to the validity of the files, or with other content these links provide or with the content that is on the linked site. Always check the published SHA1 sums. We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct links only to blog@iphone-dev.org , please don’t place mirrors in the comments as they will be deleted.

3.1.2 and you?

Thu, 08 Oct 2009 22:10:00 +0400

WARNING! At 10.20AM PDT on October 8th 2009 Apple released the 3.1.2 version (7D11) of the iPhoneOS.

If you care about your jailbreak and unlock, don’t update your device - 3G and 3G(S) owners should pay particular attention to this warning.

PwnageTool and redsn0w are not yet compatible with 3.1.2
There is no estimated release time for compatible tools (please don’t bug us about this).
Any information we have regarding this update will be posted here.
You can also follow us on twitter - @iphone_dev
@wizdaz has made a very cool DevTeam alert widget for his upcoming app called SmartScreen

Update: geohot released a Windows jailbreak called “blackra1n” which is similar to redsn0w in that it covers multiple devices (and it covers beyond just firmware 3.0.1 where redsn0w currently stops). blackra1n is not a carrier unlock. You must always avoid updating your baseband to maintain your unlockability. If you use blackra1n to jailbreak 3.1 or 3.1.2, the steps you take before running blackra1n will prevent the unlock from working on your iPhone for potentially a very long time. By the way, we haven’t yet tested whether a blackra1n’d device can accept a custom IPSW without tweaks, but if it doesn’t then it should only require a minor change.

All aboard the update train!

Fri, 02 Oct 2009 23:55:00 +0400

Here are some details on our latest version of PwnageTool for Mac OS X that adds support for the 3.1 release of the iPhone software for iPhone 3GS and iPod Touch 2G.

SUMMARY:

The iPhone 3GS is now supported in PwnageTool 3.1.3, assuming the phone was pwned at 3.0 or 3.0.1 - PwnageTool does not support the 3GS out of the box. If your iPhone 3GS has 3.1 preinstalled and is not Pwned then there is no tested jailbreak solution at the moment.

The iPod 2G is now supported in PwnageTool 3.1.3, assuming the iPod 2G was pwned at 3.0 or 3.0.1 - PwnageTool does not support the iPod 2G with 3.1 software out of the box.

DETAILS:

GOLDEN RULE: If you are using a iPhone 3G or iPhone 3G(S) with ultrasn0w and rely on ultrasn0w to obtain cellular service then you should only update your device with an .ipsw that is made with the new PwnageTool. There are no second chances with this. You need to remember that PwnageTool will provide an upgrade path to newer versions of the iPhone software in the future.
Please read all parts of this post before downloading and using these tools.
Read items 1, 2 and 3 again and again.
At the bottom of this post are the bittorrent files for the 3.1 capable version of PwnageTool.
PwnageTool will work for the iPhone 3GS assuming you have already Pwned it at 3.0 or 3.0.1
PwnageTool will work for the iPod touch 2G assuming you have already Pwned it at 3.0 or 3.0.1
PwnageTool WILL work for Original iPhone (1st Generation), the iPhone 3G and iPhone 3G(S) and the iPod touch (1st Generation and 2nd Generation) but NOT the iPod touch 3rd generation.
For 3G and 3G(S) users who are Pwned, PwnageTool is your key to updating in the future, just remember to never install an update directly from Apple, always use an .ipsw that has been created with PwnageTool.
There is no Windows version of PwnageTool it is a Mac OS X tool only, we are not developing a Windows version of PwnageTool.

What’s a Baseband?

The 3.1 update for the iPhone 3G and 3GS contains such an update, so running the vanilla updater straight away with iTunes will reprogram and update the baseband.

WHICH DEVICE DO I HAVE?

Read the description to identify your device, once you have correctly identified your device follow the specific instructions for that device as listed below.

SIM Free/SP Unlocked/Factory Unlocked iPhone 3G(S)

This applies if you bought your iPhone 3G(S) for $$$$$$$. This model of iPhone 3G(S) doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, if your device was Pwned at 3.0 or 3.0.1 then you can use PwnageTool to create an ipsw and then use this to update and jailbreak your phone.

SIM Free/SP Unlocked/Factory Unlocked iPhone 3G

This applies if you bought your iPhone 3G for $$$$$$$. This model of iPhone 3G doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, if your device was Pwned at 3.0 or 3.0.1 then you can use PwnageTool to create a 3.1.ipsw and then use this to with iTunes to upgrade and jailbreak your phone.

iPhone 2G (1st Generation)

Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw ‘nuff said, you don’t need to worry about anything, the baseband will be unlocked, the phone jailbroken.

iPod Touch 1G (Original iPod Touch)

Use PwnageTool to create a firmware image and restore with that .ipsw using iTunes.

iPod Touch 2G

Use PwnageTool to create a firmware image and restore with that .ipsw using iTunes, this will only work if you are already Pwned at 3.0 or 3.1. If you are at 3.1, downgrade to 3.0 and use redsn0w to Pwn 3.0 then you have an upgrade path using PwnageTool.

iPod Touch 3G

At this time PwnageTool does not support this device.

Official Bittorrent Releases -

PwnageTool 3.13 Torrent
SHA1(PwnageTool__3.1.3.dmg)=4141b7ecd3928c3a0c954bb06c86225a56b2f3e7

Unofficial Mirrors

The following links are unofficial download mirrors, you download these at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links or archives and we accept no responsibility with regard to the validity of the files, or with other content these links provide or with the content that is on the linked site. Always check the published SHA1 sums. We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct links only to blog@iphone-dev.org , please don’t place mirrors in the comments as they will be deleted.

3 • fun!

Wed, 16 Sep 2009 00:55:00 +0400

This is the low down on our tools for use with the 3.1 firmware from Apple, please read the whole post in full before attempting anything. Because of changes with Apple’s update techniques (that complicate the 3GS upgrade process) this will be a multipart release. This release starts with PwnageTool 3.1 for Mac OS X - this application supports the iPhone 1st Generation (2G), the iPhone 3G and the iPod touch 1G. NB: THIS DOES NOT SUPPORT THE 3GS OR 2G/3G IPOD TOUCH. redsn0w for Mac OS X and Windows will follow sometime in the near future, please don’t bug us about it - we’ll release when we have something ready.

GOLDEN RULE: If you are using a 3G iPhone with ultrasn0w and rely on ultrasn0w to obtain cellular service, then you should only upgrade to 3.1 with a PwnageTool created .ipsw. - Stay away from Apple’s direct updates as described here and here please get up to speed on the whole subject by reading the information contained in these posts.
If you have an original iPhone (1st generation) then 3.1 unlock works with this PwnageTool release. iPhone 3G users upgrading to 3.1 will need to continue using ultrasn0w with a PwnageTool created 3.1 .ipsw
Please read all parts of this post before downloading and using these tools.
Read items 1, 2 and 3 again and again.
At the bottom of this post are the bittorrent files for the 3.1 capable version of PwnageTool.
This app is suitable for the recent 3.1 release.
This version of PwnageTool will NOT work for the iPhone 3GS.
PwnageTool WILL work for Original iPhone (1st Generation), Original iPod touch (1st Generation) and the iPhone 3G.

Baseband 101

The ‘baseband’ is the generic nickname given to the internal components of the iPhone that handle the phone calls and Internet access. This ‘baseband’ is a tiny and unique independent computer system that runs inside your iPhone, it is separate to the main system that handles the applications (such as email and google maps) and it talks to the main part of the phone over an internal communications network. Think of it like a cable modem or other peripheral that is attached to your home PC that needs occasional updates. When a software update is released and presented to you within iTunes the baseband is sometimes updated (to fix bugs or add new features). The 3.1 update for the iPhone 3G contains such an update, so running the vanilla updater straight away with iTunes will reprogram and update the baseband.

SIM Free/SP Unlocked/Factory Unlocked iPhone 3G

This applies if you bought your iPhone 3G for $$$$$$$. This model of iPhone 3G doesn’t have an Service Provider lock (aka factory unlocked) and you are able to put any SIM card into the phone and get service. Your phone is already unlocked so you do not need to worry about baseband updates, simply upgrade to 3.1 using iTunes and then use PwnageTool to create an ipsw and then use this to jailbreak your phone.

iPhone 2G (1st Generation)

Use PwnageTool to do the magic and then restore with iTunes using your newly created .ipsw ‘nuff said, you don’t need to worry about anything, the baseband will be unlocked, the phone jailbroken.

iPod touch 1G (Original iPod Touch)

Use PwnageTool to create a firmware image and restore with that .ipsw using iTunes.

iPod touch 2G

Sorry, no support at this time within PwnageTool, use Redsn0w for an earlier (pre 3.1) firmware release instead.

iPod touch 3G (New iPod Touch)

Sorry, no support at this time within PwnageTool

Official Bittorrent Releases -

PwnageTool_3.1.dmg.5089960.TPB.torrent
SHA1 = ccc1e5db026362fc7eb9a40c76322b1fdcc90332

Unofficial Mirrors

The following links are unofficial download mirrors, you download these at your own risk, we accept no responsibility if your computer explodes or if it becomes part of a NASA attacking botnet or even worse if your hands fall off mid-way during the use of these files. We do not check these links or archives and we accept no responsibility with regard to the validity of the files, or with other content these links provide or with the content that is on the linked site. Always check the published SHA1 sums. We would prefer that you downloaded the official bittorrent release that is linked above, but you are welcome to try these if you really must. Mirror owners should email direct links only to blog@iphone-dev.org , please don’t place mirrors in the comments as they will be deleted.

Update 1: Please do not put links to custom IPSWs in your comments, because the software in them is copyrighted by Apple. The Dev Team motto has always been “patch, don’t pirate!”. And you’ll just make things harder for your friendly moderators angiepangie and Confucious :)

Update 2: Unlocked users on the 3G will probably notice that the name and/or logo of their carrier is missing, but they still have full bars and a signal. So far this seems to be purely a cosmetic issue and it doesn’t impact your signal or coverage. We hope to have this issue “fixed” when we release the 3GS compatible version of PwnageTool. This is very likely tied to Update #3…

Update 3: As of 3.1, the *.ipcc carrier bundles are signed, and you can no longer force tethering capability simply by crafting your own bundle. The good news is this obstacle can probably be overcome by virtue of the jailbreak. But so far that extra hack is not part of the PwnageTool custom IPSW creation.

Future-proofing the 3GS jailbreak

Tue, 15 Sep 2009 12:38:00 +0400

If there’s one thing we’ve been stressing the last few weeks, it’s that if you want to keep the jailbreak or unlock on your 3GS, you should resist all urges to install Apple’s official firmware updates without knowing if a jailbreak exists for that version yet. Unless another (different) bootrom exploit is found for the 3GS that doesn’t require a “foot in the door” with a signed official iBoot, then accepting official updates willy-nilly may cause you to be cutoff from the jailbreak. And it will definitely cause you to be cutoff from the carrier unlock.

Now, there are ways to ensure that even after taking an official 3GS update (which you really shouldn’t do!), that you’ll nonetheless be able to revert to a jailbreakable 3GS (this is NOT true for the unlock, see NOTE #1 below). We’ve been explaining these methods (like the iTunes /tmp technique) over the last few weeks, and there’s been some great discussion and feedback for the methods in the comments.

Having said all that, we realize that some of you updated your 3GS to 3.1 anyway. If you want to come back to the world of the jailbreak (but NOT the sim unlock, sorry!) then saurik’s new “on file” server may be able to help. He’s got all the details in a new article so do check it out.

Even if you did not update your 3GS to official 3.1 (good job! You really shouldn’t do that!), then you should still read the article and make those changes today. We fully recommend redirecting your iTunes signing process through saurik’s “on file” server to future-proof your 3GS jailbreak through all future updates.

AFTER ADJUSTING YOUR ITUNES SETUP, YOU SHOULD STILL AVOID DOING AN ACTUAL FIRMWARE UPDATE. For all the reasons mentioned in this post, you’ll lose the unlock forever, and lose the jailbreak until a new one for 3.1 comes out. And there’s no guarantee that your 3.0 signed files were captured by saurik in time. This is more about protecting your 3GS jailbreak in future updates — it’s not a way to jailbreak 3.1 right now.

NOTE #1: the carrier sim unlock is a different story. Jailbreaking and unlocking have two different security mechanisms, and if you update your 3GS (or 3G) to 3.1, you will lose your carrier unlock, possibly forever. Even if you downgrade from 3.1 to 3.0, you will have lost your carrier unlock. So if you think you’ll ever want to carrier unlock your 3G or 3GS (or maybe give it away or resell it later as an unlockable iPhone), then please stay clear of all official Apple IPSWs. You’ll soon be able to create custom 3.1 IPSWs using PwnageTool that let you pre-hack your 3.1 update in a way that preserves the carrier unlock.

NOTE #2: The custom IPSW flow using PwnageTool also ensures that even if Apple fixes all the iBoot holes, you’ll still be able to retain your jailbreak through later updates. That’s because a jailbroken iPhone will happily accept a custom (pre-jailbroken) firmware update even though it’s not blessed with Apples signatures. This is the “once jailbroken, always jailbroken” approach. It’s very powerful, but it requires you to only update to pre-hacked IPSWs.

NOTE #3: None of this applies if you have an iPhone 2G, iPod touch 1G, or iPod touch 2G. The iPhone 3G is also unaffected by Apple’s signing process for the jailbreak, but it is susceptible to permanent loss of the carrier unlock as mentioned in note #1.

Rock Out without Lockout

Tue, 08 Sep 2009 13:59:00 +0400

This week Apple will be all over the news with their announcements at Wednesday’s “Let’s Rock” event. But with so many new owners of the iPhone 3GS, and with so many new owners of the iPhone 3G (perhaps sold to them by these new 3GS owners)…now is a good time to send out this general advisory.

If you update to Apple’s new software using the normal iTunes process, you will lose your ultrasn0w unlock. In fact you may lose it permanently, because for most people the baseband firmware cannot be reverted to a previous version (unlike the main application CPU firmware).

But don’t worry…our PwnageTool program — when it’s updated for 3.1 — will let you update your main firmware without touching your baseband firmware, so you can still have the best of both worlds. But you must be diligent about saying “no” to your iTunes request this week to update your firmware.

Update: We’re currently working on PwnageTool for 3.1, and will be sure to let you know when it’s available!

Snow Brainer

Sat, 29 Aug 2009 09:57:00 +0400

Snow Leopard, the OS released for Mac on Friday, poses no new wrinkles for the redsn0w jailbreak or ultrsn0w unlock.

To summarize the status of our tools (all of which are available through the links at the left):

You can use redsn0w to jailbreak any iPhone or iPod Touch using OS X, Windows, or Linux. For both 3.0 and 3.0.1 firmwares, you should point redsn0w at the 3.0 IPSW. If you see it hang at “waiting for reboot”, just unplug and replug that USB cable.
You can use ultrasn0w to unlock the iPhone 3G/3GS, or BootNeuter to unlock the iPhone 2G. Both ultrasn0w and BootNeuter are available via Cydia.
You can use PwnageTool for Mac to create custom IPSWs with pre-installed packages.
For detailed guides on how to run any of these tools, sites like iClarified have some great tutorials. For specific help on any problems, feel free to use our comment system below. angiepangie and Confucious are your friendly moderators and they’re joined by a number of other very knowledgeable commenters too!

We’re glad to see Apple joining in on the “snow” theme. If only Apple had called their new OS “Sn0w Leopard”!

A Pinch too much

Mon, 17 Aug 2009 14:07:00 +0400

Last week, Joey Hess revealed that the Palm Pre running on WebOS uploads very specific information about your location and application usage to Palm on a daily basis. Although it’s allowed by the EULA that you must accept to use the Palm Pre, it still seems a little…creepy, especially if used for the wrong reasons. The only “bright” side to this story is that it was for the Palm Pre, not for the iPhone. Apple has been in the news a lot lately for its AppStore shenanigans, but at least they don’t go so far as to track your location. Right?

Well, sort of. Although we have yet to find an application by Apple that tracks your location, there are certainly a number of “free” applications in the official AppStore that are designed to do just that. Case in point: there’s this rather cute/gimicky app that lets you determine the tip for your waiter or waitress by tilting your phone as you pass it around the restaurant table. But if you dig a little deeper (like bushing did) you’ll find it uses a library by Pinch Media that is specifically designed to track your geographical location through time, then upload that data to Pinch Media. (Oh and it also show you an ad, as an extra bonus).

Being an approved app, it must first ask you for permission to use your location. If you tap “Don’t Allow”, it will ask you again in about a minute, the next time its ad changes. So you either stop using this app (because it pesters you so much about the location question), or you finally submit and tap “OK”. From that point on, your location and path info (your actual physical path through your area each time you launch the app) belongs to Pinch Media, Inc. We think that’s a Pinch too much.

Update: A commenter named fusen pointed out this post by 0th3lo. who details Pinch Media’s SQL info (it includes your gender and birthday, when possible) and goes so far as to say “no doubt, ANY pinchmedia iPhone application is spyware”. Maybe it’s time to pressure Apple to boot Pinch Media apps from the AppStore?

Update: Pinch Media have blogged about the data collected by their analytics library here.

Update: Jailbroken users are now at a distinct advantage when it comes to data tracking. saurik has worked with Pinch Media and some other data trackers to develop an “opt-out” feature for data collection! It’s called PrivaCy and is now available via Cydia!

Recycling goodness

Sat, 01 Aug 2009 08:27:00 +0400

Short version:

You can re-use redsn0w v0.8 we released a few weeks ago to jailbreak today’s 3.0.1 update. Just let iTunes update or restore you to official 3.0.1 then run redsn0w. The only “trick” is that when redsn0w asks you to identify the IPSW used, point it at the 3.0 IPSW instead of the 3.0.1 one. After the jailbreak, reinstall ultrasn0w 0.9 if you need the unlock.

More details:

The 3.0.1 release is a “branch” from 3.0 that occurs (code-wise) before all the 3.1 betas. The programs redsn0w needs to change for the jailbreak are identical when you compare the 3.0 and 3.0.1 versions. It seems pretty much the only changes Apple made were for the SMS bug, which affects programs that redsn0w doesn’t touch. That’s why you can re-use redsn0w 0.8 on 3.0.1 even though it was written for 3.0.

And since 3.0.1 doesn’t touch the baseband either, ultrasn0w 0.9 works for those needing the soft unlock. Just install it from the repo666.ultrasn0w.com repository using Cydia as usual.

We’ll at some point fix redsn0w to recognize both 3.0 and 3.0.1 IPSW’s, but really that’s the only change that would be made to it. Everything else would be identical, so there’s no need to wait for the “proper” version that recognizes the 3.0.1 IPSW as valid.

Ultratips

Mon, 20 Jul 2009 01:07:00 +0400

It looks like version 0.9 of ultrasn0w fixed up the vast majority of any problems people were seeing with the 3G/3GS carrier unlock. But here’s a brief list of fixes for anyone still seeing problems:

Unusual battery depletion is almost always caused by people choosing to “Restore from backup” instead of “Setup as new iPhone” when iTunes asks you. This isn’t caused by either the jailbreak or the unlock, but it’s a common 3.0 snafu. The fix is to just re-run the official 3.0 restore and choose “Setup as new” this time. Your music and apps and all that will still be synced, but you’ll get rid of any conflicting wifi, bluetooth, or carrier settings. Then just re-run redsn0w and install ultrasn0w.
Remember, ultrasn0w works with hacktivated phones too, but don’t outsmart redsn0w into thinking you don’t need hacktivation! If you don’t plan on using an official sim, don’t activate via iTunes with such a sim. Just keep your unofficial sim at all times and let redsn0w and ultrasn0w handle hacktivation :)
T-Mobile in the USA doesn’t use the 3G frequencies that the iPhones support, so turn off 3G in Settings->General->Network. (Some T-Mobile territories gracefully hand down to Edge mode, but most do not).
Certain unofficial plans have limitations on whether you can make calls and use data at the same time. That’s not unlock-related.
Some people have installed previous versions of ultrasn0w using non-standard techniques. While the ultrasn0w 0.9 update should have removed all previous versions of ultrasn0w, these users may have outsmarted our removal. So make sure you don’t still see /usr/bin/ultrasn0w present if you’re at ultrasn0w 0.9 (which doesn’t have such a binary anymore).
If you don’t need or plan to update to ultrasn0w 0.9 from a previous version, you can avoid having that red badge over Cydia by removing repo666 as a Cydia source. Don’t worry, you can always add it back later :) If you follow us on twitter you’ll be advised of any new updates anyway.

Last but not least, many thanks to our resident blog moderators, angiepangie and Confucious. They’re doing a fantastic job helping people in the comments, and so are other volunteers. Thank you all for your contributions!

Winter Tires

Thu, 16 Jul 2009 11:41:00 +0400

Short version:

ultrasn0w version 0.9 is out! We believe it solves pretty much all of the various random issues that have been reported. Its features include:

Works on both 3G and 3GS
Works on hacktivated devices
Works regardless of how you jailbroke your device
Doesn’t patch any mach-o binary whatsoever. (Doesn’t require a separate patch as each new firmware comes out).
Doesn’t install any additional daemon
Has no race conditions, no popups about “Missing SIM”, no network issues
Is almost 7000 times smaller than its nearest competition :)
Is available now via Cydia. Source repo is http://repo666.ultrasn0w.com (that last “0” in ultrasn0w is a zero!)

Long version:

The day before yesterday, some fellow named geohot released a program called “purplesn0w” which claims to be a better unlock than our ultrasn0w unlock released last month, and our yellowsn0w unlock released 7 months ago. He was kind enough to provide source, which we naturally took apart to try to validate his claims. ;)

We’ve found he had come up with two pretty neat ideas, one more pragmatic than the other for the iPhone. The first is a way of patching the actual text of the baseband code by copying it over to RAM and then using the MMU and page tables to have the baseband pretend it is part of the original bootrom. Of course, like yellowsn0w and ultrasn0w, this code has to be reloaded with every reboot of the baseband. However, the advantage of this is that developing unlocking payloads is a lot simpler… in fact, geohot used the same payload in AnySim and BootNeuter. We kicked around this idea ourselves before, but eventually found a work-around for the same problem with the yellowsn0w/ultrasn0w payload. The two pieces of code have the exact same effect on the baseband… with the difference that geohot’s exploit overwrites an arbitrary block of memory one megabyte in size. The baseband has a total of eight megabytes of memory and every bit of it is earmarked for use (except for 485212 bytes of it which we haven’t accounted for yet, but that’s still less than 1 MB). This means that eventually the area of memory geohot is using will be corrupted and 1 MB of baseband code will be corrupted (until the next reboot). How soon will this happen? Will it even matter in day-to-day use? We don’t know, because we haven’t spent much time looking. However, why take the risk when the yellowsn0w/ultrasn0w payload accomplishes the same job with no corruption?

To put it into perspective, ultrasn0w uses 152 bytes of properly malloc’d baseband RAM, which is 0.015% of what purplesn0w uses. Put another way, purplesn0w uses 6900 times more RAM than ultrasn0w (and doesn’t let the O/S know that it’s using it, so the O/S still thinks it’s free to use. When it does use it, the baseband will crash).

Now, the second new idea he had was to patch CommCenter rather than use a daemon. At first, this idea seemed pretty distasteful to us. Binary patches are messy and difficult to maintain (we figure it’s partly why he only made a version for 3G S and not 3G as well). In addition, the stated reason of reduced battery life with a daemon is factually incorrect, since any computer science student who’s taken a course in operating systems will tell you that a sleeping task takes up exactly NO CPU resources and NO power (it’s merely skipped over during context switches). That’s right: not “only a little” power, but absolutely NO power. However, ultrasn0w 0.6 did have a problem where the STK refresh command it used crashed the baseband in 3G S. This caused the baseband to continually come up and then restart. That DOES take power and so may explain the issues that people have been seeing. ultrasn0w 0.8 was supposed to have fixed this issue, but perhaps not completely. This is because the STK refreshes we used are inherently unreliable… but we thought they were necessary to avoid people having to reinsert their SIM. Turns out we were wrong on that score. geohot’s method shows that we can perform the unlock before CommCenter polls for lock state. When we do it before (instead of after), the STK refreshs are no longer necessary! The only way to do it before the polling, however, is to modify CommCenter.

We’ve tried to make the best of a bad situation by using MobileSubstrate to perform the modification. This lets us modify the behavior of CommCenter without touching the actual binary. We also used a method to dynamically locate the patch location so that it should work on both 3G and 3G S (and should need to be updated less frequently). We also do it in a different way so that hactivated phones will work with the unlock (unlike purplesn0w). You’ll find that this update is now available through Cydia as ultrasn0w 0.9 We thank geohot for contributing to the scene once again. We don’t think purplesn0w is the right path, but it has certainly helped us improve ultrasn0w!

P.S. geohot, seriously, stop dicking around and look at the bootrom instead kthx. =P

What's old is new again

Tue, 07 Jul 2009 22:27:00 +0400

Last night we released updated versions of our redsn0w jailbreak and ultrasn0w carrier unlock. These versions are now compatible with the iPhone 3GS running at 3.0. Welcome aboard, 3GS owners! (The tools of course remain compatible with all of the other platforms too.) Also last night, saurik released 3GS-compatible versions of MobileSubstrate and WinterBoard, components that enable many different add-ons and themes.

We realize we upset some folks (e.g. existing 3GS owners) with our earlier announcement that we wanted to hold onto the 3GS iBoot-family hole until 3.1 was out. Our aim there was to get as many people as possible onboard (within reason of course) before revealing the hole, since Apple will fix it immediately. But all of that became moot when the purplera1n release was made, since it uses the same hole.

For those of you who already own 3GS phones, the outlook is bright. As long as you have your personalized (signed) dfu/img3 files, you’ll always be able to jailbreak (even if you slip up and install stock Apple firmware in the future). For those of you without 3GS phones, it’s a race against the clock to use this particular hole. There’s nothing we can do about that, but we will always be looking for new holes.

ultrasn0w unlockers — You all must remain particularly vigilant against upgrading your basebands, since doing so will kill the unlock (for most phones, there’s no going backwards in baseband version). Apple has gotten very serious with the latest baseband — they’ve removed 180 (!) commands in an effort to cut down their exposure to holes. So please always stay away from stock Apple IPSWs and instead use our tools as we release them. These tools let you update your firmware without updating your baseband.

Those installing ultrasn0w will probably also need to do a single run of Settings->General->Reset->Reset Network Settings. We’re testing various fixes for that particular glitch.

Once again, thanks to @Oranav for finding the new injection vector that allowed us to transform yellowsn0w for baseband 02.28 into ultrasn0w for baseband 04.26, and for not revealing it to Apple before it could be used where it would be most effective — firmware 3.0.

redsn0w platforms — This is the first redsn0w release that also supports linux! It’s the newest version of the bunch, so any feedback would be appreciated. But right now, redsn0w should work on OS X, Windows, and linux.

How to get the goods:

The redsn0w torrent seeds are all here. Any direct mirroring help would also be appreciated.
The updates to ultrasn0w, MobileSubstrate, and WinterBoard are all handled directly through Cydia (after you’ve jailbroken!)
The Cydia repo for ultrasn0w is http://repo666.ultrasn0w.com (that last o in ultrasn0w is the number 0!)

3GS -- ultrasn0w style!

Fri, 03 Jul 2009 08:59:00 +0400

Do not upgrade to 3.1 yet if you want this unlock!

Here’s a brief video demonstration by @planetbeing of the iPhone Dev Team’s ultrasn0w unlock for the new iPhone 3G S. Special thanks to @Oranav for the at+xlog crash — a gift to the community that has kept on giving!

Our ultrasn0w program uses the at+xlog crash as an injection vector of our unlocking payload — and it does so on the 3GS in exactly the same way as on the 3G! But this injection vector will be lost if you update to 3.1 using the official Apple IPSW, which updates the baseband. So stay away from official 3.1 IPSWs until we release the tools that let you update the firmware without updating the baseband.

your 3GS temporary solution ;-)

Thu, 02 Jul 2009 03:54:00 +0400

Remember we warned you to stay away from any updates to 3.1 if you want to be able to jailbreak or unlock your 3GS.

Well this is an additional message to all you 3GS owners that would like to jailbreak your device sometime soon, but this advice comes with a warning! A warning that if you accidentally upgrade to 3.1, you will not be able to use Ultransn0w, so please re-read and double check this warning at the bottom of this post before proceeding.

You may have read or heard about techniques to capture files during the iTunes restore process. These will be required to jailbreak your phone in the near future, most of the methods involve icky USB snoops. Well, there is an even better and more reliable method to get your hands on those lovely files.

During the restore process iTunes nicely keeps these oh-so-top-secret-files in a lovely accessible place for us to copy out and backup, that place? /tmp on Mac OS X or %TEMP% on Windows. Thanks Apple — handy!

The downside to this approach is that you actually need to go through the restore process to get these signed files, which has risks if you are anywhere near 3.1 or 3.1 beta :-)

If you are ready to proceed and you know the risks we’ll get down to the nitty-gritty -

So during a usual recovery with iTunes, your signed iBEC is written to /tmp and during a DFU mode restore the signed iBSS is written there also. To be sure, restore in both modes one after another to be able to grab them both. You’ll need to keep an eye on the temp directory and copy it before it is deleted again by iTunes. I’m sure some nice folks will create a tutorial about this, we’ll link to the first person who makes a good one.

Should you choose to accept this mission, act fast, this needs to be done quickly! But again, always, always double check here to see if 3.1 has been released, if is has, then don’t do this.

WARNING!! - DANGER, WILL ROBINSON! - NB! - REMEMBER!

IF YOU CARE ABOUT ULTRASN0W, BE VERY CAREFUL WITH THIS METHOD! Do not attempt this if you have downloaded the 3.1 beta. You do NOT WANT TO accidentally restore your device to 3.1 beta — you’ll lose ultrasn0w if you do! BE WARNED :-)

Update: iClarified has come up with a good picture-filled guide for doing this on a Mac and also one for Windows. Good luck!

Only so many ways to say it

Wed, 01 Jul 2009 06:37:00 +0400

You’ve seen us give this warning before, and there are only so many ways to say it or come up with a clever title :) But here it is: ultrasn0w users must stay away from any firmware updates past 3.0 (including today’s 3.1 beta) until we release the tools that let you update the firmware without updating the baseband. For most phones out there, baseband updates are irreversible and you’ll lose ultrasn0w.

The 3.0 jailbreak was one of those (rare) times where both the jailbreak and the unlock coincided (the only other time was 2.2). It’s important that people realize that *most* firmware releases aren’t like that, and you need to take steps (via the tools) to separate the firmware update from its included baseband update.

This warning does not apply to the iPhone 2G, which uses BootNeuter for the unlock, not ultrasn0w.

The needs of the many...

Mon, 29 Jun 2009 03:38:54 +0400

Spock said it best: “The needs of the many outweigh the needs of the few…”

Summary:

We can jailbreak the 3GS right now. But making our jailbreak public at this point in time would benefit relatively few people. It would in fact be detrimental to many more people than it would help. So we feel it’s best to keep our version of the jailbreak out of Apple’s sights for the time being.

Details:

If you already have a 3GS phone and have already done a full USB dump or captured your img3’s signed with your ECID, then you’re in great shape. You will always be able to jailbreak. But many people who plan on getting a 3GS do not yet have one. For instance, many people are waiting for their existing contracts to mature to the point where they get a price break on the 3GS. Many people are trying to sell their 3G before they can buy the 3GS. There are parts of the globe where you can’t even buy a 3GS yet! The reasons are varied, but they are many.

The nature of the 3GS hardware allows Apple to stop IPSWs from being usable unless you’ve already gotten the signed chunks they send to you based on your ECID (a unique chip ID). You cannot get these signed chunks without knowing your ECID, and you don’t know your ECID until you’ve bought your 3GS.

The jailbreak requires at least one signed iBoot-family img3 for your device. And that iBoot needs to have an exploitable bug. It’s an all-or-nothing deal…you either have your signed exploitable iBoot ready to use, for now and forever — always jailbreakable — or you have nothing.

Here’s the critical point, the reason why we’re delaying our version of the jailbreak: Once the jailbreak is out, Apple will fix the iBoot-family bug we use to accomplish it. They will simply stop signing the old iBoots and only sign the fixed ones. If you bought your phone after Apple has done this, there’s nothing you can do…the jailbreak isn’t going to work for you.

It is possible that Apple will find the bug we use without our handing it to them on a silver platter (via a public jailbreak). In that case, we will have delayed our jailbreak for “nothing”. But we’d rather be safe than sorry!

Apple is surely coming out with a 3.0.1 firmware release shortly. They need to fix ultrasn0w. They need to fix some UI issues. 3.0 is buggy and 3.0.1 is coming. We’re going to wait and see what 3.0.1 brings before figuring out the release date for our version of the jailbreak.

In the meantime, we have some remaining 3.0 jailbreak issues to investigate, including push notification. Thanks for being patient with us while we took a 3GS “timeout”!

24Kpwn lives on, in the iPhone 3GS!

Fri, 26 Jun 2009 09:34:00 +0400

About 5 hours ago (Thursday evening, less than a week after the 3GS launch), we were able to verify that the 24Kpwn exploit that the hybrid team used on the iPod Touch 2G is still applicable to the bootrom of the iPhone 3GS. That means we can use the same sort of technique used by our current redsn0w tool to jailbreak and unlock the iPhone 3GS.

This is great news, but how did it happen? Why didn’t Apple fix this in their normal cat&mouse fashion? Well it seems this bootrom was cut in about the August 2008 timeframe, so the unintended early reveal of 24Kpwn earlier this year didn’t affect the iPhone 3GS.

For our technical notes on where the 24Kpwn exploit is in the 3GS, see here (pastebin hash of it is here). Our original blog post for when this exploit was first found is here.

And yes, ultrasn0w will be able to be used on the iPhone 3GS for you unlockers! (In fact, without any modifications whatsoever!)

Important: Apple has not given up on the cat&mouse game, and in fact there are challenging aspects of the 3GS jailbreak that aren’t in the other devices. It’ll take some time to safely work these into our tools, but the fundamental weaknesses are there: The bootrom is exploitable via 24Kpwn, and the baseband is exploitable via ultrasn0w. (And just like with the 3G, ultrasn0w for 3GS requires that you not update your baseband when Apple comes out with new firmware.)