Strip the first 0x800 bytes from your >= 1.1.1 firmware ramdisk
Run:
openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0
Ignore the error. Then there will be some garbage, signatures and certificates, at the end of the file. Remove it and mount your ramdisk.
Why would this key be published without any explanation of what it is? Apple knows what it is, not telling us how to use it doesn't serve a purpose for anyone. I don't know exactly what this key is or where it came from. But I do know it decrypts ramdisks :)
Nice job to Zibri, the dev team, and whoever owns Austin Heap for finding this key, I'd love to see the hack used. Sadly this will not help us unlock BL 4.6 phones, or sign our own SDK apps; sign anything for that matter. But hopefully this key is deeply embedded in the iPhone, and decrypting all future ramdisks will be a piece of cake.
Wednesday, January 30, 2008
Tuesday, January 29, 2008
1.1.3 Unlock and Linux Driver
The IPSF exploit still works in the 1.1.3 baseband, and now that we know Apple doesn't update the bootloader it appears to be safe to use. IPSF works using the RSA padding hack in bootloader 3.9, so as long as the bootloader is 3.9, I can't see it breaking. Here is reference code I wrote to do the IPSF unlock a while ago. With a few mods, elite can turn their virginizer into an IPSF unlocker. I wouldn't bother with the AnySim patches anymore, they are lost after every restore, and need to be modified for each version of the baseband. Be warned though, back up your seczone before IPSF unlocking. IPSF erases your NCK token.
Also I was playing around with writing linux drivers, and I figured I'd start one for the iPhone. Here is what I have so far, it only works in recovery mode. You can echo iBoot commands to /proc/iphone/cmd
Also I was playing around with writing linux drivers, and I figured I'd start one for the iPhone. Here is what I have so far, it only works in recovery mode. You can echo iBoot commands to /proc/iphone/cmd
Saturday, January 19, 2008
Notes on a 1.1.2 OTB Software Unlock
I don't see it happening anytime soon.
The old exploits aren't there anymore. The hope would be finding an exploit in the new baseband code itself to run a large chunk of code. But I think the bootloader is pretty well locked down.
First of all, downgrading the bootloader from software is out of the question. The bootrom exploit runs before the current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So after the bootloader runs, the bootloader can't be touched.
Secondly, the only secpack that validates on 4.6 is >= 1.1.3 They made a change to the format of the secpack so the older ones don't validate. So if we looked for an exploit in the baseband itself, it would have to be on post 1.1.2
Firmware is written as it is uploaded, and this is what IPSF and AnySim take advantage of. The old bootloader just relied on waiting for the sig to verify before writing the first 0x400 bytes, which contain the start vector. The new bootloader also needs the "secpack" in 0x3c0000 to not verify. So we would have to find an exploit which can write the first 0x400 and erase 0x3c0000.
The IPSF unlock itself uses an RSA hack in bootloader 3.9 This has been thoroughly patched in 4.6
Also even if we found a way to brute force the NCK's in reasonable time, we can't get the information to do the brute force off 4.6 The only hope here is to find the Apple algorithm used to generate the NCK. I don't think this is possible, unless we have a spy in Apple :)
I hope I am wrong, and some clever person will come along with a software unlock.
The old exploits aren't there anymore. The hope would be finding an exploit in the new baseband code itself to run a large chunk of code. But I think the bootloader is pretty well locked down.
First of all, downgrading the bootloader from software is out of the question. The bootrom exploit runs before the current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So after the bootloader runs, the bootloader can't be touched.
Secondly, the only secpack that validates on 4.6 is >= 1.1.3 They made a change to the format of the secpack so the older ones don't validate. So if we looked for an exploit in the baseband itself, it would have to be on post 1.1.2
Firmware is written as it is uploaded, and this is what IPSF and AnySim take advantage of. The old bootloader just relied on waiting for the sig to verify before writing the first 0x400 bytes, which contain the start vector. The new bootloader also needs the "secpack" in 0x3c0000 to not verify. So we would have to find an exploit which can write the first 0x400 and erase 0x3c0000.
The IPSF unlock itself uses an RSA hack in bootloader 3.9 This has been thoroughly patched in 4.6
Also even if we found a way to brute force the NCK's in reasonable time, we can't get the information to do the brute force off 4.6 The only hope here is to find the Apple algorithm used to generate the NCK. I don't think this is possible, unless we have a spy in Apple :)
I hope I am wrong, and some clever person will come along with a software unlock.
Friday, January 18, 2008
1.1.2 OTB UNLOCKED
First of all, HUGE thanks to TA_Mobile and IMTH for getting us the secpack from 1.1.3 Also, thanks to psp_sully for giving me a 1.1.2 OTB phone to play with. Without them there would be no unlock, and no blog post.
YOU VERY WELL MAY BRICK YOUR PHONE WITH THIS. Be careful. I have done it sucessfully on two phones, and have never bricked an iPhone in my life.
So lets get down to business. It is a hardware method to downgrade the bootloader, and I am assuming you are familiar with the old hardware method, so I won't repeat steps. You need to have a 1.1.2 4.6 phone for this to work. If you upgraded to 1.1.3, have fun waiting for 1.1.4!
First download this pack, you will need these files. This includes the NEW secpack, a new ieraser, a new testcode.bb, and a new iunlocker.
1. Copy all the files to a directory on your phone. It is imperative you do not shut off the phone after ieraser, or you cannot restore wifi, since the only fls which works on 4.6 is 1.1.3 Install mobileterminal before you begin, in case you lose wi-fi. Also I advise doing this on 1.0.2, since resetting the baseband doesn't cause problems.
2. Run ienew. This is ieraser, and it erases your 1.1.2 firmware to allow the testpoint to work.
3. Find an old 3.9 nor dump and create a file called "nor" with the first 0x20000 bytes of the old nor dump. This is the 3.9 bootloader.
4. Copy "nor" into the folder and run iunew. This is iunlocker and runs just like the old one. You will need the A17 testpoint on before running this. See Step 3 for info on this testpoint. If you restarted and lost wi-fi, it is fine. Just run it from mobileterminal.
Note: "bbupdater -v" shouldn't work at this point, since your phone has no firmware, just a bootloader.
5. The bootloader is now 3.9!!! Run bbupdater -f or restore phone with the AnySimmable firmware of your choice. It seems people are having the most luck with the firmware from 1.1.2
6. Run AnySim and, as usual, enjoy your unlocked iPhone.
PS. Thanks again to TA_Mobile and IMTH. The secpack was the only obstacle to the unlock. And thanks to the girl who pressed the return button while I held the testpoint :)
YOU VERY WELL MAY BRICK YOUR PHONE WITH THIS. Be careful. I have done it sucessfully on two phones, and have never bricked an iPhone in my life.
So lets get down to business. It is a hardware method to downgrade the bootloader, and I am assuming you are familiar with the old hardware method, so I won't repeat steps. You need to have a 1.1.2 4.6 phone for this to work. If you upgraded to 1.1.3, have fun waiting for 1.1.4!
First download this pack, you will need these files. This includes the NEW secpack, a new ieraser, a new testcode.bb, and a new iunlocker.
1. Copy all the files to a directory on your phone. It is imperative you do not shut off the phone after ieraser, or you cannot restore wifi, since the only fls which works on 4.6 is 1.1.3 Install mobileterminal before you begin, in case you lose wi-fi. Also I advise doing this on 1.0.2, since resetting the baseband doesn't cause problems.
2. Run ienew. This is ieraser, and it erases your 1.1.2 firmware to allow the testpoint to work.
3. Find an old 3.9 nor dump and create a file called "nor" with the first 0x20000 bytes of the old nor dump. This is the 3.9 bootloader.
4. Copy "nor" into the folder and run iunew. This is iunlocker and runs just like the old one. You will need the A17 testpoint on before running this. See Step 3 for info on this testpoint. If you restarted and lost wi-fi, it is fine. Just run it from mobileterminal.
Note: "bbupdater -v" shouldn't work at this point, since your phone has no firmware, just a bootloader.
5. The bootloader is now 3.9!!! Run bbupdater -f or restore phone with the AnySimmable firmware of your choice. It seems people are having the most luck with the firmware from 1.1.2
6. Run AnySim and, as usual, enjoy your unlocked iPhone.
PS. Thanks again to TA_Mobile and IMTH. The secpack was the only obstacle to the unlock. And thanks to the girl who pressed the return button while I held the testpoint :)
Thursday, January 3, 2008
1.1.3 is coming, unlocks will happen soon
I haven't been working too much with the iPhone lately, but I did take a final look at the new bootloader on the way back from Canada. I also looked over the NCK numbers again.
As far as work with the NCK goes, I don't think we will get anywhere. I do believe the numbers are generated from the IMEI/Serial, but it is done well enough that without Apple's generator we won't be able to do it. Also bruteforce is totally impractical.
I also made a mistake with the hardware hack I posted. The 1.1.2 secpack will NEVER validate on the new bootloader. The new bootloader actually does two checks and the SHA needs to be repeated twice. You will see it when you decrypt the new secpack. The A16 hack will work to validate the 1.1.3 secpack on 1.1.3 though.
So it's VERY important that you do not upgrade your baseband. I am 100% sure the old hardware hack will work when the 1.1.3 secpack is used with iEraser. I also think that the -0x400 hack still exists in the new bootloader, so software unlocks are hopefully coming with the release of the new secpack. I've heard rumors of people who have 1.1.3 in beta. The whole community awaits this secpack. Please get it out there as soon as possible.
As far as work with the NCK goes, I don't think we will get anywhere. I do believe the numbers are generated from the IMEI/Serial, but it is done well enough that without Apple's generator we won't be able to do it. Also bruteforce is totally impractical.
I also made a mistake with the hardware hack I posted. The 1.1.2 secpack will NEVER validate on the new bootloader. The new bootloader actually does two checks and the SHA needs to be repeated twice. You will see it when you decrypt the new secpack. The A16 hack will work to validate the 1.1.3 secpack on 1.1.3 though.
So it's VERY important that you do not upgrade your baseband. I am 100% sure the old hardware hack will work when the 1.1.3 secpack is used with iEraser. I also think that the -0x400 hack still exists in the new bootloader, so software unlocks are hopefully coming with the release of the new secpack. I've heard rumors of people who have 1.1.3 in beta. The whole community awaits this secpack. Please get it out there as soon as possible.
Subscribe to:
Posts (Atom)
