25C3: Hacking the iPhone

As promised in their yellowsnow demo, [pytey], [MuscleNerd], and [planetbeing] from the iphone-dev team presented at 25C3 on their work Hacking the iPhone. The team originally formed in 2007 and this is the most comprehensive presentation on how the iPhone was compromised to date. You can find the full talk embedded above.

They opened with a few stats about how popular their software is. Our favorite by far is that at least 180 people with Apple corporate IPs update their phones using the dev-team’s software on a regular basis. From there the talk was split into two sections: jailbreaking the S5L application processor and unlocking the S-Gold baseband processor.

The phone relies on a chain of trust to guarantee that only Apple’s code is being run on it. All of userland is signature checked by the kernel. The kernel is checked when loaded by iboot. The iboot image is checked when loaded by LLB. LLB is loaded from the NOR by the lowest piece of code, the bootrom. That’s where things fall apart; the bootrom does not check the signature of the LLB. To take advantage of this, the team found what they describe as a classic stack buffer overflow in DFU mode. DFU is Device Firmware Upgrade mode, a state that the phone can be forced into after the bootrom loads. Their exploit forces the certificate check to return ‘true’. They are then able to patch all of the subsequent signature checks out of the phone’s system.

The baseband processor proved to be much more difficult simply because it doesn’t have any sort of recovery mode; bricking a phone was always a possibility. The S-Gold is a complete system-on-chip and has a unique ID on each phone. The NOR also has a unique ID on each phone. These two IDs are used to sign the secpack, which in turn enforces the SIM carrier lock. These unique IDs are why you can’t just take an officially unlocked phone and copy the secpack off of it to unlock another phone. Everything else is identical: the firmware, the baseband, the bootroom are all the same. On the second generation iPhone, the bootrom checks the bootloader. The bootloader then verifies the bootrom before checking and then loading the firmware. The firmware enforces the carrier lock. The team decided that it wasn’t worth attempting to break the chain of trust. The SIM unlock code they developed is divided into two sections. The first part is the actual software unlock. They patch the firmware while it’s running in RAM. Their patch modifies the firmware’s decision tree about whether to enforce the carrier lock. The second half is the exploit that allows them to inject the code. The team knows that Apple can and probably will patch the exploit hole, but their RAM patching code will always work, so it’s just a matter of finding another hole to apply it through. In order to do a permanent unlock solution (like on the first generation iPhone), they’d need to analyze the actual bootrom code.

The team mentioned several things Apple did that actually helped them in their efforts. Security was gradually rolled out, so they were able to look at things that would eventually be hidden. The firmware was initially unencrypted. Earlier versions trusted iTunes, something they could easily modify. All userland apps originally ran as root meaning any application exploit gave root level access.

The iphone-dev team has truly put in a tremendous amount of effort and we look forward to the yellowsn0w release on New Year’s Eve.

Comments

  1. UlliBre says:

    Video of the presentation can be downloaded from ftp://81.163.138.188/CCC/25C3/ (possibly only during the congress)

  2. Pyrofallout says:

    Amen to that. These guys have seriously busted their ass on this project for nearly 6 long months. They have my utmost respect.

  3. andrew says:

    I think that the summary means to say that the 2G ipod touch (not 2nd gen iphone 3g)’s bootrom checks the bootloader. That is why the 2g ipod touch cannot currently be jailbroken.

  4. Taylor Alexander says:

    The note about users from apple headquarters is amusing. If you guys have wondered as I did, I made some friends who work at apple recently and found that lots of people there jailbreak. It’s not frowned upon or anything, as some people may have imagined, given steve jobs’s reputation.
    Of note though is that i was told that his phone isn’t jailbroken, but that he has a special phone in the sense that he has all sorts of features we don’t – usually just features that have not yet been released. Basically he just gets firmware updates as they are created, but i imagine he has a bit more than just that – not sure yet tho.
    -Taylor

  5. Taylor Alexander says:

    Oh, i also ran into someone who is in charge of software updates at apple, and you know the whole incident where safari began showing up in the itunes updater as needing an update, even if it wasn’t installed, and a bunch of people accidentally had safari installed on their system?

    I asked him about that and he said the decision came “from the top.” “From steve?” i asked, and he just replied with “yup.”

    So i’m not sure if that was common knowledge, but in case you had to deal with safari auto-installing, now you know who to blame!
    -Taylor

  6. I have an Iphone and when i tried to fix it, it completely malfunctioned and every option I click on the main screen says that “I am sorry, Iphone has automatically locked, please try again later”. I am so sorry to tell you this, but ur software is a waste of time, if you want to paste it on the internet then at least make sure its working.

  7. TJHooker says:

    I bought a asian knockoff for $99. I’m not into designer computers, and a gyro with touchscreen on a cellphone isn’t impressive either imo.

    Did they ever release the rest of the source code?

  8. Jules says:

    At first sight, i was like “ahh another article on cracking iphone, bah…” But this is the coolest ipod cracking video never seen, explain memory functions etc. Great to see

  9. andrcruz says:

    I tried It on my iPhone and the only thing I get is this message: “I am sorry, Iphone has automatically locked, please try again later”

    What now? :S

    ________________

    http://ganhar.me

  10. Zibri says:

    Blah.. Blah.. Blah..

  11. Gary Pettit says:

    When looking for a website to download your music, you might want to join a download website that offers a lot of download variety for Movies,Games and Music such as :

    http://www.iPhone-Express.info

    One small fee gets a Lifetime of iPhone downloads So far 29,298 happy customers use iPhone-Express

  12. nice post, friend.please come to my blog to see MY picture and friend

  13. Very nice info.i hope you come to my blog here Kampanye Damai Pemilu indonesia 2009

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,311 other followers