return to table of content

How the Devteam Conquered the iPhone

ixtli
9 replies
6h1m

Just for history’s sake: I wrote iPHUC (and yes I was 19 and came up with that name lmao) and a guy with the nic “nightwatch” who I loved working with was responsible for the initial jailbreak and coining the term itself. I believe he was also responsible for pdf or tiff exploits that unlocked the PSP, too. He worked and lived in South America possibly at a university … but that’s all I know.

It was a really fun time and I learned a lot.

Also, George Hotz endangered the welfare of a few people who had kindly gotten us access to some documentation in Japanese despite repeated pleas not to do so. Very frustrating and why the dev team all eventually stopped working on the project.

reaperman
5 replies
5h10m

Also, George Hotz endangered the welfare of a few people who had kindly gotten us access to some documentation in Japanese despite repeated pleas not to do so. Very frustrating and why the dev team all eventually stopped working on the project.

Would love any elaboration on this that you can provide which wouldn't expose you to a libel suit.

ixtli
4 replies
5h4m

Honestly I just remember careful coordination about what information / code / artifacts to release from the private IRC channel and when. He ignored the consensus a bunch of times which lead to demoralization and people leaving.

I’ll never know how real the threat to peoples jobs were but I don’t think they were being overly cautious.

IntelMiner
1 replies
1h49m

Given his later actions with the Playstation 3 where he watched Fail0verflow's CCC presentation, then immediately pushed the first "Hello World!" firmware patch just so he could say he did. Immediately landing the entire team in hot water as Sony (understandably) assumed they were related parties

Geohot seems to have a history of throwing other people under the bus to score "victories" for attention

ixtli
0 replies
1h27m

this was my experience so i was not surprised to read about the ps3 stuff. about 8 or 9 years ago i made a comment somewhere in the depths of HN with more information. honestly i dont really care about GH so much as I wish other people who were kind and brilliant got the attention and credit they deserve

95014_refugee
1 replies
2h48m

The “private” IRC channel was not as private as you thought it was…

ixtli
0 replies
1h28m

i earnestly hope thats the case. someone should really publish the chat transcripts because they are an important part of computing history.

ixtli
2 replies
5h53m

Oh, I just remembered one of the people who helped us understand the ARM architecture (it was somewhat new at the time) had the nic “pineapple” which is why many of the early UIs had pineapples on them. Again, great people and it’s a shame we never kept in touch

epcoa
1 replies
4h26m

ARM32 was nearly 15 years old by that point (the ARM700, the first 32 bit core dates to 1993). Maybe not exciting but the ARM32 had the bulk of its life before the iPhone, ARM64 came shortly after. Old and boring for the original iPhone ISA was also intentional.

ixtli
0 replies
1h29m

sorry i shouldn't have said "arm architecture" there obviously arm32 wasnt anything new: i figured that was implied. we wanted specifics on the S5L8900 and they were (and still are) quite hard to come by. this contributed to the discovery and instrumentation of DFU mode, iboot, etc that contributed to jailbreak

nicoboo
7 replies
11h40m

Well written and highly detailed description, as always with Fabien's work.

I remember seeing the investigation on this iPhone protection back at the time, what a journey it has been since this work.

Also, I hope someone can provide more information about that minus 0x400 shift before data write so it would be completely explained.

e1ghtSpace
6 replies
11h19m

The minus 0x400 shift appears to work like this:

  Seek(fd, 0xA0020000 - 0x400);
We seek to 0x400 before where we need to write the data

  SendWrite(fd, foo, 0x400, false);
We set the first 0x400 bytes of what we want to write to 0

  SendWrite(fd, fw, fwsize, true);
We then set the rest of the bytes to our data.

  SendEndSecpack(fd);
The iphone copies the data from 0x400 bytes onwards (which is all the data we wanted to write), then tries to verify the signature and fails. If the signature could be verified the first 0x400 bytes (which we left as all zeros) would then be copied.

trashburger
4 replies
10h41m

Ouch! That's a fail on the same level of Microsoft forgetting the XBox decryption keys on the secret ROM.

ixtli
3 replies
5h59m

The product itself was, at this stage, very rushed to market.

bombcar
1 replies
3h1m

So very many products are, but most people never see any of it, and most are boring enough that nobody cares to break them apart and see what's inside.

ixtli
0 replies
1h32m

its also worth noting, on balance, that apple quickly made it a relatively hardened platform.

95014_refugee
0 replies
2h42m

The IFX team that produced the baseband firmware had never heard of Sicherheit. It was … riddled with trivially exploitable security issues.

nneonneo
0 replies
1h23m

I think Fabien is looking for an explanation as to why shifting by 0x400 bypasses the signature check. For example, is that shift somehow corrupting the signature check logic, or bypassing it by convincing the checker that no check needs to be performed?

rewsiffer
5 replies
4h32m

Anyone know what tool they used to make the flow diagrams? They seem to be text based and might be superior to mermaid.

dewey
3 replies
4h24m

Looks like monodraw, it was also on HN again a few days ago.

FirmwareBurner
2 replies
4h18m

monodraw seems MacOS exclusive unfortunately :(

FirmwareBurner
0 replies
3h58m

thanks

dmitrygr
5 replies
10h38m

HELP WANTED: If you happen to know why -0x400 trick works, or can get in touch with Geohotz/MuscleNerd, please let me know. I have tried to ask around but have not found any explanation. I would be happy to update this article if someone knows.

This is commonly done with fw updaters. first 0x400 bytes is a header that the earlier stage loader needs to see before it'll allow this stage to boot. So you RX the data, write it freely, just not the header. This is safe and will not allow any code exec since the header is missing. then at the end you sig check the whole thing you wrote, and if it is good, you write the header, making the whole image valid.

the trick here is you write 0x400 bytes of garbage first, 0x400 bytes earlier than your desired write. this is buffered but not written (treated as the headers). The rest of what you sent IS written (writing what you wanted where you wanted). then sig is checked. you fail. the first 0x400 is not written (and you did not want it written).

win

ixtli
3 replies
5h43m

Also the part where you talk about “recovery mode” I think we referred to this as DFU mode back in the day. “Device firmware update” I’m not entirely sure it was called “recovery” at the time though I could be wrong as it’s been more than 15 years

sneak
1 replies
5h1m

I think DFU mode and recovery mode are different. In recovery mode the screen is initialized and displays the “connect to iTunes” image. In DFU mode the screen is blank; I think this is implemented by the bootrom and can be used to restore even iBoot.

https://www.theiphonewiki.com/wiki/DFU_Mode

ixtli
0 replies
4h51m

ooo good point it’s been so long I might be misremembering. the reason I commented was because I thought you had to put the device in DFU to upload the image to the Media dir that was mounted rw. But again it’s been 15 years lol

95014_refugee
0 replies
2h49m

DFU is implemented in the ROM; it is morally if not technically a subset of the open standard by the same name.

Recovery mode is implemented in iBoot; it provides mediated access to the command interpreter and some file-ish transfer capabilities.

Both are still in use; whilst the implementations have obviously evolved the fundamental interactions have not changed since the original Apple (not Samsung) ROMs.

ixtli
0 replies
5h48m

iZsh ( https://x.com/izsh1911 ) might also know but i lost track of that guy more than 10 years ago :(

xyst
0 replies
3h54m

The “S” in original iPhone is for security. All in the name of shipping out that first product.

Just like car manufacturers. Never buy the first few model years of a new product or platform.

xorl
0 replies
4h1m

Those were the days. :)

vmfunction
0 replies
7h33m

These three fields would be concatenated into a token. The token would be sent to Apple server (albert.apple.com) where it would be signed with Apple's private key. The signed token would then be sent back to the device. A daemon lockdownd, listening over USB verified the token using Apple's public key. With the proof that the token came from Apple, and matching DeviceID, IMEI, and ICCID, lockdownd updated the device state to "Activated". The user then had access to the iPhone homescreen and the apps.

Sounds like the pre-cursor to oAuth now days.

saagarjha
0 replies
9h24m

Ah, the good old days. Back when iPhone hacking was easy…well not easy, but far easier.

adhambadr
0 replies
3h32m

fuck this was a beautiful trip down memory lane thanks for the work putting and narrating this story so well. I remember following the progress half way across the globe and doing the hardware soldering hack on my 1st-gen, then good ol'd Cydia days. Can't process how young these people were and how they knew how to do such low-level investigative coding. I remember back then I was doing .NET c# and thought i'm the boss, humbling.