apple

Copyright secretmrx 2009 1 Document version 2.0

iPhone is a registered trademark of Apple Inc. 1 Copyright secretmrx 2009

Section 1 Vocabulary 4

Simple Vocabulary 4

Jailbreak 4

Activate 4

Unlock 4

Advanced Vocabulary 4

Accelerometer 4

Bootloader 4

Brick 4

BSD Subsystem 4

DFU Mode 4

3G/EDGE 4

GPS 4

GSM 6

iBoot 6

IMEI 6

iPhone Dev Team 6

Pwning, PwnageTool, QuickPwn, WinPwn 6

Ramdisk 6/7

Recovery Mode 7

Seczone 7

SIM 7

SSH 7

UMTS 7

Section 2 Practical Work 8

A Brief History of iPhone Hacking 8

PwnageTool Mac 8

PwnageTool Usage 8/9

QuickPwn Windows + Mac 9

QuickPwn Usage 9

Section 3 Useful Information



How To...

Enter/Exit DFU Mode 10

Enter/Exit Recovery Mode 10

Use SSH 10

Change Your APN 10/11

Update Your Carrier Bundle 11

How to Downgrade iPhone OS 11

Useful Links 11

Conclusion 13

License 13



Section 1 VocabularyYou may have seen many of these words before - on websites, in emails you have received, or in other iPhone guides. The aim of this section is to clear up any confusion you may have, leaving you a competent iPhone hacker. It is important that you thoroughly understand the Simple Vocabulary before reading further into this guide, as these are the words that you will come across the most.

Simple VocabularyJailbreak

To read and write to the operating system partition on the iPhone, you must Jailbreak it. Confused? Not to worry.Partitioning is achieved when the operating system treats one physical piece of memory as smaller, separate units. Say you ordered a pizza, and it arrived in a nice box. The box and whole piece of pizza within is the hard drive that you can store files on. Hang on, if you open up the box and split the pizza inside into two, you can effectively make two hard drives! This is how partitioning works. The computer would open the box, see the halved piece of pizza and think it is two drives, when it is actually one that is pretending to be two.Your iPhone operates in this way. It uses two partitions - the media partition and the operating system partition. The media partition is where all your iTunes data is stored - music, movies, contacts, App Store apps etc. This partition is usually the size of your iPhone’s memory capacity, minus 500-600MB for the OS partition. Because of the way that Apple have set up the iPhone OS, we can not do any hacking in this easily accessible partition. To hack the device, we must get into the OS partition.The OS partition, the space on the iPhone that Apple has locked us out of, is where the jailbreak lies. This is where the iPhone’s operating system is stored - iPhone OS. Once we have access to this partition, we can do a number of things, such as:

• Run unofficial (non-App Store) applications• Execute scripts and commands• Tweak the visual aspects of iPhone OS

Jailbreaking brings this functionality - and more - to your device.

Activate/Hacktivate

To activate your device means to allow access to the SpringBoard, by telling your phone that you are a using an iPhone-supported carrier.After purchasing your device or doing an iTunes restore, you may notice that you can not do anything except place emergency calls. You are locked out of your home screen, the ‘slide to unlock’ text changed to read ‘slide for emergency’. This is because your iPhone wants to be connected to iTunes, so iTunes can make sure you are using it with a supported carrier (AT&T in the US, Vodafone in New Zealand). However, if you wish to use your device on an unsupported network, or simply as an iPhone without the phone features, you must trick your device into thinking it is legitimately activated through iTunes. This is sometimes referred to as ‘hacktivation’. Note that jailbreaking is a prerequisite of hacktivation.

Unlock



Unlocking your device means to open up the iPhone’s modem to accept SIM cards from unofficial carriers. In the US, for example, an iPhone will not connect to any carrier other than AT&T, unless it is unlocked.Just as iPhone OS controls the applications that you interact with whenever you use your phone, the baseband processor controls the modem. The baseband processor has its own, separate firmware from the main OS, called the baseband firmware. During most iPhone software updates, Apple update the baseband firmware on the device. The unlock lies in the baseband firmware, by patching out certain bytes, you can bypass the SIM check. For some devices, updated basebands can mean the inability to software unlock your phone. Thankfully, PwnageTool from the iPhone Dev Team can disable the baseband update in iPhone software updates, allowing certain devices to remain unlocked and still enjoy the latest version of iPhone software. We will not cover unlocking in great detail, as this guide is intended for beginners and it is a very technical subject.Jailbreaking and activating/hacktivating are prerequisites of unlocking.

Advanced Vocabulary

The following words are not crucial to know, however the more you know the better.

Accelerometer

The accelerometer detects the orientation of your iPhone. Applications can be built to take advantage of this, such as Safari does when you turn your iPhone onto it’s side. Some games use the accelerometer as a method of controlling the character, such as Super Monkey Ball from the App Store.

Baseband

The baseband in the iPhone manages all functions which require an antenna. It is separatefrom the OS and is it’s own processor, with it’s own firmware. It’s firmware is called thebaseband firmware.

Bootloader

A bootloader is some code that is executed when the device is powered on. Two bootloaders you may have heard of are the baseband bootloader and iBoot. Bootloaders perform integrity checks on data and prevent unsigned, non-apple code from being loaded. They essentially police the iPhone OS, making sure everything is the way Apple want it to be. PwnageTool, WinPwn and QuickPwn patch out integrity checks from the bootloaders (LLB, iBoot) and the kernel, allowing unsigned code to be executed.

Brick

To brick a device means to render it permanently unusable, usually through software modifications. A common misconception is that jailbreaking a device could brick it if something went wrong, this is not true. Thanks to DFU mode and iTunes’ restore system, a device that didn’t jailbreak correctly can easily recover.

BSD Subsystem

As iPhone OS is a special version of OS X, it has BSD underpinnings. BSD Subsystem is a set of tools and commands that some applications require to run properly. These can be run through a command prompt, too. Apple does not ship iPhone OS with many commands, so many have been ported from OS X to iPhone OS.



DFU Mode

DFU Mode is a special mode where the device can still interface with iTunes, yet it does not load iPhone OS or iBoot. The screen will appear off lifeless when in DFU mode, making it impossible to tell whether the device is in DFU or powered down from simply looking at the screen. PwnageTool exploits a vulnerability in DFU to flash custom firmware to the device, and as iBoot and the OS are not loaded, downgrading firmware versions is possible.

3G/EDGE

EDGE and 3G are two mobile data technologies that enable you to get internet virtually anywhere on your iPhone. The original iPhone supported EDGE/GPRS, a slower form of internet access, while the iPhone 3G supports the fast 3G standard.

GPS

GPS, or Global Positioning System, is a method of locating your iPhone 3G using satellite triangulation. This allows you to get directions through the Maps application, as well as geotag photos. Photos that are have geotags can have their location looked up in mapping software, such as Google Earth.

GSM

GSM, or ‘Global System (or Standard) for Mobile communications,’ is the most popular mobile phone standard in the world. Unlike CDMA, GSM phones take advantage of SIM cards. SIM cards contain certain data, such as the phone number of that SIM, the ICCID etc. Both iPhone and iPhone 3G support GSM.

iBoot

iBoot is the bootloader for the application processor on iPhone OS devices. iBoot is responsible for recovery mode. During a restore, iBoot makes sure that you are flashing a firmware version greater than or equal to a current one. If you are not, iBoot will not allow the restore to proceed. Because of this, firmware downgrading must be done in DFU mode. iBoot has an interactive interface, allowing communication via USB or serial.

IMEI

An International Mobile Equipment Identity number is a static number which identifies your device. All mobile phones have an IMEI, and no two are the same. It is similar to a MAC address - it is a unique identifier.

iPhone Dev Team

The iPhone Dev Team are a group of hackers who extend the iPhone’s capabilities past what Apple offer. They are known for their law-abiding manner, they never distribute copyrighted code.

Pwning, PwnageTool, QuickPwn, WinPwn

These programs are used to patch out checks from the bootloaders and kernel of the iPhone. The exploit they use is at DFU level. PwnageTool and WinPwn both create custom restore files, while QuickPwn hacks the device on the firmware that it is currently running on.

Ramdisk



A ramdisk is a special type of virtual hard disk that uses RAM. QuickPwn uses this to boot the custom payload that jailbreaks the device. Apple uses a ramdisk to start the restore procedure, when the device is in recovery mode. This is because you can not restore the OS when it is loaded on the phone, it must be done in an external environment.

Recovery Mode

Recovery Mode is a state of iBoot that is used during standard upgrades and restores. As iBoot is active, it does not allow you to downgrade your device’s software. Also, unless it is ‘pwned,’ it will not allow custom firmware to be flashed.

Seczone

The seczone contains data about the lock state of your iPhone, as well as your RSA token. An official unlock would require that the user enters an unlock code, which is then checked against data in the seczone. The lock table specifies how many unsuccessful attempts at officially unlocking the phone the user has made, as well as what provider you are locked to. If you exceed 3 unsuccessful unlock attempts, the baseband will go into brick mode.

SIM

A Subscriber Identity Module is a small chip provided to you by your carrier that contains your specific and unique data. It holds your phone number, IMEI and more. The SIM card is what identifies your phone to the cellular network, and is used by GSM and UMTS phones.

SSH

Secure Shell is a method of securely exchanging data between two devices. It is a method of file transfer between iPhone and a computer (providing that the iPhone is jailbroken and OpenSSH is installed). The default login credentials are username: root, password: alpine.

UMTS

UMTS is the successor to GSM. It is a 3G, W-CDMA based network, that can also be expanded to 4G. This is the technology that iPhone 3G uses.



Section 2 Practical Work

What’s in this section?

In this section you will learn about the different methods you can use to hack your device. We will start off with a brief history of iPhone hacking, and then proceed to familiarize you with the tools you will be using.

A Brief History of iPhone Hacking

Over time things change, and the iPhone is no exception. Back in the 1.0.x days, unlocking was an ugly process, and jailbreaking a manual one. PwnageTool was not available then, it was all done through Terminal/Command Prompt environments.

When 1.1.1 was introduced, the iPhone Dev Team (considerably smaller than their current size), released a manual jailbreak. This was challenging and not for the average user.Later on, an exploit was discovered in MobileSafari which allowed code to be executed - all while Safari thought it was opening a .TIFF image. This was a true one-click jailbreak/activate solution, and a computer was not required at any stage during the process. This method from jailbreakme.com placed the hugely popular Installer.app - the unofficial package management application - on the device.

Times have changed. Over time Apple have patched a lot of bugs and holes, yet significant exploits have been discovered. One of those significant exploits is the Pwnage exploit - allowing an unchangeable and incredibly user friendly means of hacking your device, thanks to the iPhone Dev Team’s great GUI applications. Along with the Pwnage exploit came BootNeuter, the ultimate unlocking tool for first generation iPhones. BootNeuter permitted custom baseband firmware to be flashed to the phone, creating a forever-unlockable phone.

PwnageTool Mac

PwnageTool can activate, jailbreak, unlock and allow for third party applications on your device. Unlike QuickPwn, it does this through a custom restore bundle, or .ipsw. You can then restore to this bundle in iTunes, and on completion have a device tailored to your needs.If you have never ‘pwned’ your phone, PwnageTool will all a special Device Support file which, when in DFU mode, allows a custom restore to be flashed. Once this has been done once, you can continue to restore to custom firmware without ‘pwning’ again. This whole process is completely reversible, just restore to a stock Apple firmware file and everything is back to normal.

PwnageTool Usage



1. Download and open PwnageTool. PwnageTool can be found at blog.iphone-dev.org.2. Connect your device..3. Choose either iPhone, iPhone 3G or iPod touch on PwnageTool’s main screen.4. You will be asked what you wish to do. Choose from the list, then press next.5. If you selected iPhone, you may be asked for bootloader files. A simple google search for

‘iPhone bootloaders’ should find them for you (note they may download in a .zip. Decompress the .zip, you should find two files, 3.9 and 4.6).

6. At the end of the process, you will be asked if your device is pwned. If you are unsure, or don’t even know what that means, press yes. It does not hurt if you press yes, but you may get some iTunes errors if you press no.

7. Open iTunes with your device connected. It may be in DFU mode from PwnageTool. If it is, leave it in there.

8. Click on the iPhone tab in iTunes9. You should see a button that reads ‘Restore’. Hold down shift on Windows or Option on a

Mac and click restore. A file browsing window should appear.10. Choose your custom restore file.11. The restore will begin, and your device will wake up customized.

QuickPwn Windows + Mac

Note: both programs are called QuickPwn on each OS, yet you must download the copy that suits your platform.

QuickPwn works on the same exploit that PwnageTool does, still breaking the chain of trust in the bootrom, LLB and iBoot. Like PwnageTool, it ‘pwns’ your device, but through a different system.Unlike PwnageTool, QuickPwn can do all this without you needing to restore. It uses a ramdisk and the DFU exploit to make the modifications to your device. For some people, this is by far the best method, as restoring requires you to sync all your data back.

QuickPwn Usage

1. Download and open QuickPwn. You can get it from blog.iphone-dev.org.2. Connect your device.3. Open QuickPwn.4. Choose what you wish to do from the options.5. IIf you selected iPhone, you may be asked for bootloader files. A simple google search for

‘iPhone bootloaders’ should find them for you (note they may download in a .zip. Decompress the .zip, you should find two files, 3.9 and 4.6).

6. Your iPhone screen will show a progress bar. Wait until it has completed.



Section 3 Useful Information

How To...

Enter/Exit DFU Mode

Note: When in DFU mode, the screen will appear to be turned off. Because of this, the only way to tell if you are in DFU mode is to be connected to iTunes. It is recommended that you read through these steps thoroughly before continuing.

To enter:

1. Connect your device to iTunes.2. Hold down the home + power buttons for 10 seconds.3. After 10 seconds, release the power button but keep holding home.4. After a few seconds (10 or so), iTunes will detect your device in DFU mode.

To exit:

1. With your device in DFU mode, hold the home + power buttons until the device shows the Apple logo. This may take 30-60 seconds.

2. When the device shows the Apple logo, release the buttons.

Enter/Exit Recovery Mode

To enter:

1. Disconnect the device from the computer and open iTunes.2. Turn off the device.3. While turned off, hold down the home button and connect to iTunes.4. Keep holding the home button as it boots.5. If you are in recovery mode, you will see a ‘Connect to iTunes’ graphic on your

screen.

To exit:

1. While in Recovery Mode, hold down the home + power buttons for 10 seconds.2. After 1o seconds, release the home button but continue to hold the power

button.3. Keep holding the power button until the Apple logo appears.

Use SSH

1. Download WinSCP (Windows) or Cyberduck (Mac).2. Download OpenSSH from Cydia/Installer on your device.3. Open up the SSH application on your computer.4. Enter your device’s IP address (found in Settings -> Wifi -> Tap blue arrow by your network)

in the Host name box.5. Enter the username root and password alpine.6. Connect. Your first login may take a while, this could be many minutes. If you get any

popups about the host not responding, ignore them.

Change Your APN



If you can not change your APN in ‘Settings -> General -> Network,’ follow these steps -

1. Open Safari on your device.2. Navigate to unlockit.co.nz.3. Click on ‘Continue’.4. Click ‘Custom APN’.5. Enter your APN and credentials.6. Click ‘Create Custom Profile’.7. Install the configuration profile.

Update Your Carrier Bundle

1. Download/locate the .ipcc file you wish to flash to your phone.2. With your device plugged into iTunes, hold down shift (Windows) or option (Mac) and press

‘Update’.3. In the window that appears, locate the .ipcc file and select it.

Downgrade iPhone OS

1. Download your destination OS. Google search it, eg. ‘iPhone 2.2 download’.2. Enter DFU mode.3. When the device is detected by iTunes in DFU mode, hold Shift on Windows or Option on a

Mac and press ‘Restore’.4. When the restore is complete, iTunes may give you an error, stating that the device may not

have restored properly. This is completely normal, it is because your baseband was not downgraded. To leave recovery mode, simply hold home + power until the device turns off and reboots (about 20 seconds of holding the buttons).

Useful Links

hackint0sh.org

Hackint0sh is one of the best Apple hacking and modding forums. It has a large, helpful and growing user base, and is a great place to go to get some help. Hackint0sh is the home of the iPhone Dev Team.

blog.iphone-dev.org

This is the official blog of the iPhone Dev Team. New hacks and tools are announced here, as well as offering download links to their current software.

digg.com/apple

Digg is a great place to find out about Apple rumors, news, tips and events. It’s large user base weeds out the bad articles, and promotes the great ones.

apple.com/iphone/

Apple’s own website is one of the best for iPhone resources and information. It showcases top applications from their App Store, and contains tips and tricks you may not have known.



modmyi.com

Once an iPhone only forum, modmyi has grown to become one of the largest Apple forums around. They host Cydia and Installer repositories, and their users are always happy to help.

theiphonewiki.com

The iPhone Wiki is an incredibly useful resource. It is a user editable wiki, based on the same CMS as Wikipedia. After reading iSeminar, you should be able to understand most of the things in The iPhone Wiki.



ConclusionHopefully after reading iSeminar you have a much better understanding of the iPhone OS, how it works, and how we hack it.

I would like to thank the iPhone Dev Team for their tireless work on the iPhone. They devote their spare time to offer us applications, hacks and tools - all without accepting donations.

LicensePlease feel free to distribute iSeminar, but do not take credit for it. Please credit it back to me (secretmrx).You may not sell this guide. It is copyrighted work.

secretmrx11/04/09



apple

Documents

iphone guides

os partition

media partition

brief history of iphone

iphone dev team

competent iphone hacker

accessible partition

registered trademark