Liveblogging the big iPhone 1.1.1 hack

Last night, iPhone hackers "dinopio" and "Edgan" brought 1.1.1 hacking into a new arena. By using symbolic links before doing a 1.1.1 upgrade, they were able to gain access to the entire 1.1.1 file tree. Today, I'll be liveblogging my attempt to duplicate their hack. So sit back and reload as I put my poor iPhone to the test.

Ingredients

One iPhone, still at version 1.0.2 with ssh access.

One 1.1.1 iPhone upgrade, still not applied.

Firmware for 1.0.2 for downgrading.

iPhuc

The basic method

1. Using ssh: cd /var/root

2. mv Media backup

3. ln -s / Media

4. Upgrade to 1.1.1

5. Upse iphuc to access the changes and hopefully get execute access.

Getting started

10:13 AM. My 1.0.2 iPhone is sitting here next to me. It is running ssh and I'm ready to start the hack. I do the linking method as follows:

=% cd =% pwd
 /private/var/root
 =% mv Media backup
 =% ln -s / Media
 =%

I've now closed the shell and attached the iPhone to my Mac and am about to start the upgrade. Man, it really physically repels me to hit that Update button... The fear. The uncertainty. The doubt.

The iPhone upgrade

10:20 AM. Right now it's extracting software and getting ready to do the install. I have never unlocked this phone so I'm hoping the update will proceed smoothly. Lets see if I get bricked or not.

10:22 AM. It's "Updating iPhone software..." now.

10:23 AM. Verifying updated iPhone software. Oh noes! I can has the 1.1.1 upgrade now?

10:24 AM. Updating iPhone firmware...Pleasant elevator music plays in the background. (Because every great hack must be accompanied by elevator music.)

10:26 AM: Your iPhone has been updated, and is restarting. Activate iPhone, connect to iTunes.

10:27 AM: Wrong SIM!!!!! Oh man. (Trust me, it's a pure AT&T SIM on a pure AT&T account.)

10:28 AM: I pull the phone out of the dock and then I reconnect to iTunes. iTunes could not connect to the iPhone "Bologna" because of an unknown error occurred.

10:29 AM: Switching to my Intel Mac from my G4 Mac

10:32 AM: I have the full tree. Getting screen shot now. The phone is not activated but iPhuc connects to it without trouble. w00t!

In the land of the iphuccers

We have Mobile Music Store!

Putting all the screen shots here is going to be pretty cumbersome. Here's a gallery.

MobileStore.app

Next on my agenda is getting a clean copy of MobileStore.app. So I've written a script to try to grab all the files in that folder. Testing now.

10:52. Looks like I've gotten the entire MobileStore.app off the iPhone. It's hard to test, of course. What I did was use iphuc's script ability. I basically did a list of all the contents in the app and then wrote a script to cd into the proper folder and copy those files to my mac. If you want an example of how to do this, see my command-line media utilities.

Testing Read/Write

I create a file on my mac, called test.txt. In it, it just says "THIS IS A TEST". I copy it to /var/root with iphuc. It works.

Next, I delete it from the mac. Copy back from iphuc.

Yes, it copied back correctly. I delete it again, copy back, check. The /var/root section (at least) is writable and readable.

Happiness

Whee! (This section brought to you by reader Joe Maller)

File system stuff

On Dinopio's suggestion, I take a look at fstab:

% cat newfstab /dev/disk0s1 / hfs ro 0 1
 /dev/disk0s2 /private/var hfs rw,noexec 0 2

I've now run iPhoneDisk--and no, no kernel panics today yet--and mounted the iphone to /Volumes/Media. Pictures here and here.

I'm now trying to copy the entire file system to my mac. Ditto failed, so I'm copying via drag and drop. Will report back on progress.

Responding to readers

Right now, I can't get executable access to the iPhone disk. I can put files into the media partition, but it's "noexec" and I can't yet change fstab. So I cannot do screen shots from the iPhone--or get shell access either. Everything right now is being done through AFC.

Testing the Music store on 1.0.2

I've tracked down a tester who is going to test the mobile store app on a 1.0.2 system. On my insistence, he has sworn not to distribute the application. The goal here is not to start throwing around copyright material but rather to be able to get everyone up to 1.1.1 without losing shell access and third party applications.

Unfortunately, it doesn't work. It hangs for a few seconds and then goes back to the home screen. Either it's missing some 1.1.1 frameworks or it needs authentication a la YouTube. So the 1.0.2/mobile music store experiment is, for the moment, a bust.

Looking at the file system

Stripped down even more than last time. Guess what's in /bin? One thing: launchctl.

iPhoneDisk

My attempts to copy files with iPhoneDisk failed. It's just too flakey, too alpha, too many bugs.

Responding to Readers

Can you add ringtones to a 1.1.1 iPhone this way? Probably yes. But you need to stick your ringtones into /private/var/root/Library/Ringtones because there's currently no write access to /Library/Ringtones.

No, I haven't gotten my iPhone activated--and I'm not sure that's going to happen. Which kinda ticks me off since I'm paying AT&T $50-odd each month.

Reader pmppk writes: Just wanted to add that I don't think that ringtones will work this way. I had a couple ringtones in my /var/root/Library/Ringtones before I updated. The contacts that they were assigned to retained them with the prefix "user:", but they weren't browseable in any of the ringtone menus

Lockdown folder

The lockdown folder (/System/Library/Lockdown) has a lot more items than in previous versions. You can take a peek at the contents here.

Just a reminder: /System/Library/Lockdown is currently read only.

Bleg

What we really need right now is a version of iphuc that does recursive file copies. If there are any C++ wizards out there who can help, please visit the iPhuc repository and update the code to do that? Thanks!

Don't feel that you need read access to the repository. If you write it, I will use it!

Update

Right now, I'm writing a series of shell scripts to run iPhuc to get files, list folders, etc. I've given up completely on the (utterly flakey) iPhoneDisk.

Writing these routines will take a while. I'll be back later in a separate post to let you know the results. That's it for this morning live-blog wise. Things are moving fast, so I'll keep you up to date.