Archive for January, 2008

Great news!

January 30th, 2008 No comments

My dear users!
After a long silence I would like to announce really great news!
At first, this week you will get iMatrix compatible with 1.1.3 iPhone’s firmware and prepared for official SDK.

Then, I did really hard job and now we have three commercial resolution services integrated into iMatrix! They are besides Semacode and Semapedia, btw. As iMatrix will be ported to official Apple’s SDK, it becomes real universal 2D code recognition tool for iPhone.

Future of 2D codes is coming…..
Stay tuned!

The iPhone “Secret” key

January 30th, 2008 No comments

Strip the first 0x800 bytes from your >= 1.1.1 firmware ramdisk

openssl enc -d -in ramdisk.dmg -out de.dmg -aes-128-cbc -K 188458A6D15034DFE386F23B61D43774 -iv 0

Ignore the error. Then there will be some garbage, signatures and certificates, at the end of the file. Remove it and mount your ramdisk.

Why would this key be published without any explanation of what it is? Apple knows what it is, not telling us how to use it doesn’t serve a purpose for anyone. I don’t know exactly what this key is or where it came from. But I do know it decrypts ramdisks 🙂

Nice job to Zibri, the dev team, and whoever owns Austin Heap for finding this key, I’d love to see the hack used. Sadly this will not help us unlock BL 4.6 phones, or sign our own SDK apps; sign anything for that matter. But hopefully this key is deeply embedded in the iPhone, and decrypting all future ramdisks will be a piece of cake.

1.1.3 Unlock and Linux Driver

January 29th, 2008 No comments

The IPSF exploit still works in the 1.1.3 baseband, and now that we know Apple doesn’t update the bootloader it appears to be safe to use. IPSF works using the RSA padding hack in bootloader 3.9, so as long as the bootloader is 3.9, I can’t see it breaking. Here is reference code I wrote to do the IPSF unlock a while ago. With a few mods, elite can turn their virginizer into an IPSF unlocker. I wouldn’t bother with the AnySim patches anymore, they are lost after every restore, and need to be modified for each version of the baseband. Be warned though, back up your seczone before IPSF unlocking. IPSF erases your NCK token.
Also I was playing around with writing linux drivers, and I figured I’d start one for the iPhone. Here is what I have so far, it only works in recovery mode. You can echo iBoot commands to /proc/iphone/cmd

If anybody wants to talk to me

January 29th, 2008 No comments

I’ll be hanging out in ##iphone and #iphone-hackers over on . Check out the Freenode IRC instructions if you’re new to IRC.

##iphone is for general stuff, and #iphone-hackers is specifically for people who want to create applications for the iPhone (SDK or hacked).

Oh, and I will be talking at the O’Reilly Emerging Technologies conference about iPhone development (with a brief history, and a how-to). The conference is March 3-6 this year, and I’ll be speaking on Monday morning. Check out ETech today – spots are filling fast.

The 1.1.3 iPhone soft-upgrade jailbreak FAQ

January 25th, 2008 No comments

My inbox has been overflowing with various questions about the 1.1.3 jailbreak, including numerous failures (I said there was risk, didn’t I?). So I put this FAQ together to try and answer the most common ones.

If your phone is broken please scroll down to the PANIC section below.

Read on for the FAQ.

Read the rest of this post

1.1.3 jailbreak Mac version now available

January 25th, 2008 No comments

This is just a post for the RSS readers out there. A Mac version of the Jailbreak is available, on the same page:

iPhone 1.1.3 jailbreak released

January 24th, 2008 No comments

Well, the iPhone Dev Team has done it again. A working jailbreak for 1.1.3 is finally here.


As all upgrades are risky, this one is doubly so. You may have to restore your phone using iTunes and start again if it fails. Make sure to back up first!

Let’s continue

This jailbreak, like the 1.1.2 jailbreak, comes as an upgrade. This means you need to have a 1.1.1 or 1.1.2 jailbroken phone already, before you can begin.


Official Jailbreak release works for iPod Touch, and is easier to do. Go here for that.

Update – unlocked phones appear to remain unlocked and work properly after the update, according to scattered reports.


Read the rest of this post

iPhone 1.1.3 WebClip hack – Speed Dial on your home screen

January 22nd, 2008 No comments

So the new iPhone 1.1.3 firmware allows you to put icons on your home screen for websites, but I know many of us want to put phone numbers on there for a Speed Dial screen.

I’ve put a little hack together that lets you have a (somewhat) speedy speed dial icon. There’s no jailbreaking required for this one – it can all be done using Apple-approved Web Clip creation.

Check the images below for a walkthrough.

Read the rest of this post

iPhone 1.1.3 firmware behind the scenes changes

January 22nd, 2008 No comments

So I’ve had the chance to examine the 1.1.3 firmware on a deeper level (using a technique not developed by me and which I can’t release so don’t ask) and have noticed some interesting changes behind the scenes that are quite blogworthy:

– SpringBoard no longer needs to be modified (via SummerBoard) in order to show extra applications in the /Applications folder.

– All applications now run as the user ‘mobile’ instead of as root.

– Preferences are now stored in /var/mobile rather than in /var/root.

What does this all mean? I’ll tell you what it means.

The iPhone 1.1.3 firmware is ready for official installable applications.

Even though there are no applications available for purchase (besides the iPod Touch’s $20 “upgrade package”), the installation architecture appears to be there already.

It also appears that the frameworks have undergone many changes, ostensibly to make it easier for official…

Read the rest of this post

Notes on a 1.1.2 OTB Software Unlock

January 19th, 2008 No comments

I don’t see it happening anytime soon.

The old exploits aren’t there anymore. The hope would be finding an exploit in the new baseband code itself to run a large chunk of code. But I think the bootloader is pretty well locked down.

First of all, downgrading the bootloader from software is out of the question. The bootrom exploit runs before the current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So after the bootloader runs, the bootloader can’t be touched.

Secondly, the only secpack that validates on 4.6 is >= 1.1.3 They made a change to the format of the secpack so the older ones don’t validate. So if we looked for an exploit in the baseband itself, it would have to be on post 1.1.2

Firmware is written as it is uploaded, and this is what IPSF and AnySim take advantage of. The old bootloader just relied on waiting for the sig to verify before writing the first 0x400 bytes, which contain the start vector. The new bootloader also needs the “secpack” in 0x3c0000 to not verify. So we would have to find an exploit which can write the first 0x400 and erase 0x3c0000.

The IPSF unlock itself uses an RSA hack in bootloader 3.9 This has been thoroughly patched in 4.6

Also even if we found a way to brute force the NCK’s in reasonable time, we can’t get the information to do the brute force off 4.6 The only hope here is to find the Apple algorithm used to generate the NCK. I don’t think this is possible, unless we have a spy in Apple 🙂

I hope I am wrong, and some clever person will come along with a software unlock.