iPhone and iPod touch v1.1.1 full jailbreak tested, confirmed!
By Ryan Block 
posted Oct 10th 2007 3:09AM
posted Oct 10th 2007 3:09AM
- Apple releases iPhone, which was obviously cracked six ways from Sunday.
- Through firmwares 1.0.1 and 1.0.2 Apple does not block these hacks in any way.
- Firmware v1.1.1 is released for iPhone and iPod touch, which completely locks out file system access (and thus 3rd party software).
- Awkward silence from Apple fans and the dev community as everyone ponders how to crack the new file system protections.
- Hackers dinopio, edgan discover the symlink hack, which takes v1.0.2 iPhones up to v1.1.1 with read / write file system access. In other words, the hack only works on v1.0.2 iPhones (not the iPod touch) when being upgraded to v1.1.1, and still doesn't grant the ability to execute loaded programs.
- The next version of dinopio & co.'s symlink hack (which hasn't yet been released to the public) grants the coveted execute privilege (so you can run those 3rd party apps), and enables another hack (by pumpkin) to make the new SpringBoard (the application launcher) recognize the freshly recompiled iPhone apps.
- Hacker Niacin (aka toc2rta) and Dre claim they've managed to combine the symlink hack with a TIFF vulnerability found in the v1.1.1 firmware's mobile Safari, which grants access to the file system. This is the hack we're testing here.
Note: Due to the nature of this hack, it's to be considered ephemeral. Apple needs only to patch the TIFF vulnerability and file system access on v1.1.1 is out, with the touch and iPhone back to their previously not-too-hackable state.
Caveats:
- The release has not at this time been released to the public. Niacin claims that will happen in the near future, possibly later this morning.
- Thus far the hack isn't entirely without issues. We're still trying to determine exactly what's what, but we've lost read and write access unexpectedly. This may or may not be a problem with our machine or device, though, and not necessarily the hack.
- We did not test this method on an iPhone, but technically there should be no difference in the effect. Side note: your v1.1.1 iPhone would, at this time, need to be activated to load the TIFF. (How else are you gonna load it?) This is supposedly being worked on.
==Terminal==
iphuc 0.6.1 with tab completion.
>> By The iPhoneDev Team: nightwatch geohot ixtli warren nall mjc operator
CFRunLoop: Waiting for iPhone.
notification: iPhone attached.
AMDeviceStartService 'com.apple.afc': 0
(iPHUC) /: ls
.
..
Applications
Library
System
bin
cores
dev
etc
mach
private
sbin
tmp
usr
var
(iPHUC) /: putfile ./fstab /etc/fstab [That's the money line! No errors.]
(iPHUC) /: exit
==/Terminal==
Can confirm by way of getfile that the uploaded version sticks.
Great news, thanks Niacin, Dre and others!
Can't wait to test this out
This doesn't actually have the instructions on how to do it?
I used these instructions to jailbreak my iphone 111 and it worke:
http://www.iphonealley.com/news/iphone-v1-1-1-jailbreak-apptapp-installation-guide
So, where does the semi-lay iPod touch kid start?
credit needs be given to the itouch dev team as well. Much code was contributed to niacin without due credit by him thus far.
It was a great experience :)
amazing! go iphone/itouch dev team!
Grats Niacin, good luck on further development.
was there reading along! Cant wait till this goes public!
Thank you guys much appreciated
So for whatever reason I can't bring myself to jailbreak my iPhone, so far none of the additional functionality is compelling enough give the risks of bricking my phone or voiding the warranty. but I sure want to thank you guys that do. It seems like the hacking community forces apple to fix bugs and add new features, just so they can release hackbreaking firmware updates. since They can't just release new firmware with a change log entry like "breaks your hacks", they need to at least fix or add something compelling enough to get people to upgrade. So thanks to you guys who keep apple on your toes, even we scardy cats appreciate your efforts.
I see something similar to this for the next iPhone update:
"iPhone Update 1.1.2
Critical flaw in Safari allows a hacker to gain access to the file system. Update now to ensure the secure operation of your phone."
keep it up!
Hasn't Apple demonstrated the ability to patch iphones without the users consent?
I can see the Tiff exploit falling under the immediate patched without user consent due to security/exploit risk/full access to root et-al scenario.
Good luck all.
No, Apple hasn't made any iPhone upgrades without the users consent
On another news Apple releases a new firmware update tomorrow morning.
ooo would the mouse really be released so soon? >:)
Now if Apple only had some iPod Touch 16Gigs in stock to replace my very expensive iPod Touch shaped paperweight, I'd be happy to give this a go...
This worries me... this hack uses a TIFF exploit in the browser, similar problems IE users experience on Windows; and a proven way "into the OS".
In the start there were no viruses for Windows, but as there was more and more interest in the OS, people started to "hack", tweak and customise the OS; simply through its popularity more and more people understood how to manipulate the environment, and useful hacks tools and customisation developed into other areas less useful and more damaging such as viruses.
The iPhone simply by its popularity is at start of this cycle; the smart people are pulling it apart and understanding how the code is written, testing and pushing to find weak points to find a way in to execute code to unlock the code;
I'm asking with the iPhone having such a high profile aren't these tools, experiences and knowledge found the building blocks for someone with a more personal objective to write a virus? With OS on the iPhone and the Mac so similar, the transfer should be a lot easier?
I can see similarities between Apple and Microsoft here, but it looks like I'm the only one to see it;
MS releases a patch for IE, and within days it's breached and another way in is found...
Apple releases a patch for Safari, and within days it's breached and another way in is found...
... I'll think I'll put a stake in the ground, and say; "This is where it all started..."
Oh rest assured. Everyone sees the similarity, but people just have yet (as far as we know, since a ton of mac folks continue on without spyware checkers and anti-virus/worm software) to really experience anything nasty appearing or doing significant damage.
Excuse my ignorance but, i happen to have a hacked iPhone 1.0.2 and i was wondering.. with this new jailbreak thingy, is it or will it be possible to upgrade the iPhone on its hacked state keeping the sim unlock and and without briking it??? or is this just a hack for 1.1.1 iPhones that are already upgraded???
Very interesting question indeed - one to which I would like an answer too.
Perhaps it is time that devs looked into the possibility of Custom Firmwares similar to what is happening in the PSP scene.
I mean i live in belgium and well.. i have no problems with my v1.0.2 iPhone but i would like some of the updates, i've said it before, i dont miss them cause i never had them and for me the phone is cool the way it is... but eventually there will be an update with something REALLY cool, like MAYBE ... i dont know file sharing over bluetooth??? a camara software that if it can't make video at least can ZOOM!!!!... nothing too fancy you know what i mean??? some stuff regular phones DO have...
I think right now it is only for ones that are either newly bought, or ones that have benn updated. I recommend you do not upgrade yours as it is unlocked and hacked and it is likely to become your very own iBrick. Just hang in until there is a safe way for your hacked 1.02 iPhones. GREAT JOB DEV TEAM(s)!!!!
i'm not planning on updating mine works fine and i love the apps i have so far... i dont really need THAT much much... and i live next to rance, probably the will have to (by law) to sell the iPhone unlocked... so... a guy can only dream right??? untill then... i'll hng to my 1.0.2 wich in any case i love
Are we going to get an updated hack for EVERY firmware update released from apple? Im getting bored of the iPhone hacks!!
Dont get me wrong, im a BIG apple fan. but i thought this site was for gadget updates/new releases and reviews. Not hack after hack for iphone and itouch.
BORING!
One needlessly taken human life = countless IPhones
Amerika obsesses over its toyz while B&C plot to kill a few million more... Perhaps if they threatened to take away the peeplz toyz there would be some outrage?
I know, the open source community is very open in it's approach to technology, but if you want to keep the iPhone jailbreaked and unlocked, can we please just stop telling Apple how we are breaking into their code. This is not a cat and mouse game, this is a cat (who hides everything) and the mouse who tells the cat exactly what to fix for the next release. Why not just provide the tools (most people don't care or understand what is going on anyway) and let Apple actually invest on trying to guess (just like us) on how we broke it this time.
That is the only way to make this whole thing fair from a development and cracking point of view! Apple could have relocked the phone a few hours after the update just by fixing the symlink and the tiff exploit! Don't give them that vital information keep them in the dark!!!
The dev guys started getting the hint with a developer only irc channel, take it to the next level, and don't release your secrets!
don't you think apple also have so call "computer engineer" too?
I'm pretty sure they have lots of engineers, but as an engineer myself, when it comes to fixing a problem, it's 90% trying to find what the hell is broken and 10% actually fixing it. If they don't know how we got in, then they will actually have to invest in trying to find out how we broke the system, which will give us a bit of an advantage, sure they might be able to find out how we did it, but right now, we might as well send them a bug report saying that the TIFF handler in Safari has a bug at line 1234.
I think that would be highly irresponsible. The efforts of these hackers is admirable, but let's be honest here - they are taking advantage of security vunerabilities. Would you really rather not tell Apple about real flaws in their software, ones that could potentially affect millions of iPhone users if left unfixed, just so the relative handful of hackers & hobbyists can continue to run our SNES emulators and accelerometer hacks?
I'm somewhat for this too...what's the point of hackers actually spelling out exactly HOW they do something like jailbreak (as the advertisment ultimately leads to Apple countering it) unless that is their aim - for the company (Apple here) to fix it?! I guess the true hope is that Apple will realise that w/o hackers and rogue developers actually being charitably informative (as the IPDT and otehrs have been) there are always exploits they the company will miss that could bite them in the @$$ if used purely maliciously...so play nice with the hackers Apple and provide them with an OPEN SDK so they can become legit contributors to the development of teh OS (mobile OS X in this case)....
I think that's kind of a silly approach.
a) By releasing the 'how to', the devs are letting more people try the hack before Apple gets a chance to Patch it. People who use the hack don't have to update to the next official release if they don't want to. This still gives the people an advantage.
b) As Q-Bert said, it would be irresponsible not to bring attention to a security exploit such as that one. Root access from a tiff?
c) I'm willing to bet that, given the knowledge of the hack, the engineers on Apple's staff could figure out how it's done faster than most of the iPhone owners. If that's true, then very few people would actually get a chance to hack their phone before the apple engineers beat them to it. I'm also curious how you plan to let everyone know *without* someone at Apple (or one of the many minions) finding out as well.. secret code words passed around in covert chambers? :)
I'm all for hacking the hell out of the thing and then letting everyone know how it was done. The purpose of most of this hacking is really just to see if it can be done anyway.
The question is, if I hack my iPod touch, will Apple brick my iPod touch in future updates?
Trust me. They'll brick your Touch even if it isn't hacked...
well once i hack mine, I'm not gonna update unless theres a really good reason to. you don't have to update ever, if you want, and if you do, all you have to do is restore the ipod and upgrade away. i sense no danger here
it's simple really. all apple has to do is implement a new system on the iphone where if they don't constantly keep up to date with the updates, they won't be able to use their iphone. that way apple can start controlling users and break the intention of running naughty 3rd party apps. seriously, customers should not have the ability to pick and chose how they wanna use the products they buy. the corporations gotta take the initiative and give them that nudge.
That wouldn't work because then there would be a hack to get around that too. Windows Genuine Advantage rings a bell here.
i was being sarcastic. they seem hell bent on telling you want you can and cannot put on your iphone. and i do stress that iphone is under the customer's ownership. sickening.
Relying on security flaws to actually make the iPhone/iPod useful is.. funny at least.
it's simple, really. all apple has to do is implement a new system on the iphone where if the user doesn't constantly keep up to date with the updates, he/she won't be able to the iphone. that way, apple can start controlling users and break their intention of running naughty 3rd party apps. seriously, customers should not have the ability to pick and choose how they wanna use the products they buy. the corporations gotta take the initiative and give them that nudge.
Prop to Ryan for the 3am Blog.
I was actually impressed by this, too, until I remembered that Ryan lives in San Francisco: makes it a midnight blog post instead... Still cool, just not *as* cool...
I don't know if this is of use to anyone but on my touch I discovered another vulnerability in the current software. I completely filled up my 16gig and only left about 100mb the other day...the touch worked normally but when you went into video the display was very hosed, splashes of solid colors mixed in with the video and a double image effect silmilar to 3d. Fixed by deleteing a movie and doing a reboot. Also discovered that adding one of those urls with the data to bookmarks that is above 2.5 mb consistently caused the touch to reboot.
I am all for 3rd party apps, my only reservation is I would prefer the touch be more stable as a platform first, I think apple still has a lot of work to do and any hack or 3rd party program right now could cause havoc to the operating system
just my 2C
What about a sim hack?? Has there been any news for this??
The biggest hope is that by gaining read/write access they can install tools that will allow them to more easily investigate just how the firmware update process works between 1.0.2 and 1.1.1. This will allow them to find a way to keep a jailbroken touch/iPhone free even after future firmware updates arrive from Apple. Hopefully they can get in between the update process inside things and prevent Apple from re-incarcerating our devices in the next firmware update. Then users can use 3rd party apps without worrying that all will be lost with a future firmware update.
The problem is that the majority of hackers are motivated by ego and if they can't brag about how they did something then it's like it never happened.
Ahh... corrupt image files. Is there anything they cant do?
Oh, thats right, display images.
When's a hack coming for people that dont already have an at&t account?
I live out of the US, so activateing the iphone on at&t is out of the question
I hope Apple updates the iPhone and iPod touch fast so these hacks will be impossible.
No problem guys ;o)
Just send your PayPal donations to: imtryingtostealyourdonations@ishouldbeinjail.com
:o)
with the ability to access safari, as shown here: www.hackint0sh.org/forum/showthread.php?t=10378 I don't see why this wouldn't be possible on an OTB 1.1.1 unactivated phone.
Whatever happened to hacking behind the scenes? There seems to be just too much information and detail being exposed. "We did this, then exploited that, then we had a problem with this, then we found a way around it by doing this, etc..." I miss the mystery and it seems all these nice outlines of procedures and specifics, with a nice peppering of hacker names, makes a nice read for Apple. Why make their jobs so easy? Can this work really not be done behind the scenes and just release the results, not the details, and let them figure it out themselves? Wouldn't this be to our benefit?
By the way, congratulations and thanks to all who contribute to these advances!
Exactly. I wondered about this myself - I find it pretty dumb, so dumb that it's painful to look at. I mean, you're hacking and telling the author how you're doing it, making it dead easy for them to fix it. Hackers are in it for fame so it doesn't matter to them if their hack is closed up in another update - but the journalists (Engadget?) should definitely care about implications. You can reveal the exact details several months down the road when it's irrelevant for current users but still valuable info for people interested in the subject. Yes, security through security doesn't work well, but it works well enough to give an extra week or two to shelf life of the hack - so that poor users can actually spend more time using the gadget than searching and waiting for (yet) another hack.
Perhaps the blogger should be fired or at least disciplined if his next post is whining about 1.2 closing up the "tiff exploit"?
Ray- If you read the original post, there have been contributions by many different people/groups, probably all over the world. The only way this jailbreak can be put together is if different peoples' discoveries are made public, so people can build on each others' work.
Sorta like that whole open source thing...
Who fucking cares? I don't have a proprietary garbage device like this.
Question for you all:
I bought a unlocked iphone out here in Bombay India- they are selling everywhere!
I put to many dam apps on it and i want to start fresh again. I want to reset to factory settings. Now..becoz i did not do the unlocking..i don't want to have to take it back again to the store..Will restoring factory settings bring the phone back to a locked att&t only phone? or can i carry on as usualy!!????
• Reboot iPhone holding the top button (power) and the home buttons.
• Release the top button 10 seconds after that, right after the screen goes dark. But keep the home (bottom) pressed for a while.
• The iPhone screen will appear to be off. Now start iTunes manually.
• iTunes will tell you it has found an iPhone in "restore mode."
• Press option key and then click the restore button.
• Select the 1.0.2 firmware .ipsw file from here:
• Shutdown iTunes.
• Launch the latest iNDpendence (Mac-only for now.)
• Activate the phone
So there is a working iPhone exploit in the wild?
Somewhere, Sony (especially its PSP team) are just laughing uncontrollably.
iPhoneAlley is reporting and giving away how to upgrade and hack your iPhone! They said, do not do it if you have UNLOCKED YOUR iPHONE, do not have a LEGIT ATT account, and do not know WHAT you are doing. Also, you must have a Mac.
Sorry Windows kids.
windows kids are all happy with their fully functional WindowsMobile
Whoever said OS X was malfunctioning?? I am just referring to the fact that 1.1.1 is only hackable by OS X on a Mac at the moment. I was never complaining about WindowsMobile. You completely took my comment the wrong way.
Well everyone has been talking about this jail break for the past few days and it is good news but I guess only for those who have broken out of jail before (meaning have experience with 3rd party apps installation) until the easier guide comes the rest of us will have to wait and stick to our ipod / iphone music and movie downloads which I use http://www.ipodtunesdownloads.com they have great service
Look. Apple wins in the end. Stop the hacking (but keep begging apple for a valid SIM unlock).
May I suggest all of these talented people focus their skills on creating kick ass web applications? Instead of hacks that will get shut down in 0.0.1 updates??
Really talented developers make applications that have slick interfaces, and provide a simple solution to a task/problem. (examples: iPhone.Facebook or BeeJive).
Putting a hack on an iPhone to run 3rd party native apps is pointless...because I can say that none of the native apps developed thus far are impressive. The only thing you can do with it, is show someone "hey look I have 3rd party apps on my iphone" to which they respond "it'll be a paperweight in two weeks."
Cheers,
Happy unhacked, unmodded, iPhone 1.1.1 user.
Lighttpd lets me run a web server on my phone. OpenSSH provides me a way to upload PDF's to my iPhone, and I can then view those PDF's in Safari. This method is MUCH cleaner than the data URI hack.
MobileTextEdit lets me take edit my own text files as needed. I use this for notes, and I use the "Notes" application for a ToDo list.
Having terminal (along with OpenSSH) lets me SSH into my servers from anywhere. Thus, I can get to my server whenever needed, and I can backup my calendar, notes, text files, contacts, and other data via a BASH script which I run through the TAPP app (I could possibly use Cron, too).
Apollo lets me chat with people if needed (IRC apps are also available).
SpringBoard lets me rearrange icons in the Home menu.
weDict provides me with multiple dictionaries and thesauruses.
vrecord lets me do voice recordings whenever needed (voice notes, lectures, ...).
I find these things useful.
I use T-Mobile, and I do not have a data plan. I'd say these third-party apps are necessary as much of the time I have no access to the Internet.
Just because you may not find uses in third-party apps does not mean other people do not.
Need to revise what I said...I obviously can't get to my servers or chat with people when not at a hotspot, but when I am at one, it's nice and useful to have those apps.
Also, when I AM at a hotspot, most of the time they are insecure. With SSH, I can tunnel into my proxy server and browse securely.
Lastly, when updating the firmware, notes from the Notes app are NOT synced -- you lose them all. With a basic BASH script I can back these up easily, every day.
its out!!
http://www.toc2rta.com/?q=node/22
What about unlocking 1.1.1??- Will that be possible in the near future too or is everyone just concerned about 3rd party apps??
"it's all fun and games until someone gets hurt" - your mom
no really, executing root code through a corrupt image is a pretty severe security flaw and is gonna be patched up pretty damn quickly.
I used the hack, now i cannot plug-in my ipod to itunes as it says it's in restore mode and i cannot change that! WTF!
Here's an idea (may or may not work)
carpe diem (sieze the day) and, while you can, write a 3rd party app for the iPod Touch that opens the file system (basically just put a permanent copy of the code you executed in the buffer overflow on the Touch's apps list) then if the next upgrades don't remove these apps (that's why it might not work) then you still can run the same code even though they'll fix the TIFF image buffer overflow problem that originally let you run it.
Tell me if you think of any obvious objections to this
pleas tell people that once you do the first step in the hack process (to visit the exploit URL) you must go till the end, or reflash your iPod to factory firmware.
i have found a new way to actually edit every single file within the ipod touch. if you go to Installer-->Productivity-->MobileFinder after you install MobileFinder you are able to access all the files. It will allow you to change virtually everything about your Ipod or IPhone. Ipod and Iphone must be jailbreaked of course.
Where can i get the 1.1.1 firmware for ipod touch??
this corrupt tiff image bullshit is old its not new it was released for the psp years ago, and by installing this shit your just makin your wifi system more vunrareble(sp) laugh it somthin was coded in so hackers and not SCRIPT KIDDIES can access yoru calls and private date, not to mention make calls from your sim details that they access'd beacuse you gave your iphone mroe exploits, one word, dumbass's
Get your iphone unlocked or upgrade it to the latest version
UNLOCK WITHOUT OPENING THE PHONE, SO DONT WORRY
Upgrades of iPhones and any iPhone Repairs done too
If anyones interested, please email me cuteprick@hotmail.com or call me...
Come with your iPhone & i'll unlock it within 15mins.
CALL ME ON 9820541041
AM LOCATED IN MUMBAI