We were invited by iPhone / iPod touch file system hacker Niacin (who you might also know for his PSP and MSN TV Linux cluster hacks, etc.) and Dre to test out their new v1.1.1 file system hack. We know the whole v1.1.1 hacking thing has been massively confusing even to folks like us, so here's a quick n' dirty timeline to bring you up to date.
  1. Apple releases iPhone, which was obviously cracked six ways from Sunday.
  2. Through firmwares 1.0.1 and 1.0.2 Apple does not block these hacks in any way.
  3. Firmware v1.1.1 is released for iPhone and iPod touch, which completely locks out file system access (and thus 3rd party software).
  4. Awkward silence from Apple fans and the dev community as everyone ponders how to crack the new file system protections.
  5. Hackers dinopio, edgan discover the symlink hack, which takes v1.0.2 iPhones up to v1.1.1 with read / write file system access. In other words, the hack only works on v1.0.2 iPhones (not the iPod touch) when being upgraded to v1.1.1, and still doesn't grant the ability to execute loaded programs.
  6. The next version of dinopio & co.'s symlink hack (which hasn't yet been released to the public) grants the coveted execute privilege (so you can run those 3rd party apps), and enables another hack (by pumpkin) to make the new SpringBoard (the application launcher) recognize the freshly recompiled iPhone apps.
  7. Hacker Niacin (aka toc2rta) and Dre claim they've managed to combine the symlink hack with a TIFF vulnerability found in the v1.1.1 firmware's mobile Safari, which grants access to the file system. This is the hack we're testing here.
    Note: Due to the nature of this hack, it's to be considered ephemeral. Apple needs only to patch the TIFF vulnerability and file system access on v1.1.1 is out, with the touch and iPhone back to their previously not-too-hackable state.
And the result thus far? We've tested the solution, and we can confirm file system read+write access via the TIFF exploit on an iPod touch, meaning loading a simple image file on your v1.1.1 device gives full root file system access!

Caveats:
  • The release has not at this time been released to the public. Niacin claims that will happen in the near future, possibly later this morning.
  • Thus far the hack isn't entirely without issues. We're still trying to determine exactly what's what, but we've lost read and write access unexpectedly. This may or may not be a problem with our machine or device, though, and not necessarily the hack.
  • We did not test this method on an iPhone, but technically there should be no difference in the effect. Side note: your v1.1.1 iPhone would, at this time, need to be activated to load the TIFF. (How else are you gonna load it?) This is supposedly being worked on.
Quick terminal log using iPHUC on the iPod touch confirming write ability to root FS after the break.

==Terminal==
iphuc 0.6.1 with tab completion.
>> By The iPhoneDev Team: nightwatch geohot ixtli warren nall mjc operator
CFRunLoop: Waiting for iPhone.
notification: iPhone attached.
AMDeviceStartService 'com.apple.afc': 0
(iPHUC) /: ls
.
..
Applications
Library
System
bin
cores
dev
etc
mach
private
sbin
tmp
usr
var
(iPHUC) /: putfile ./fstab /etc/fstab [That's the money line! No errors.]
(iPHUC) /: exit
==/Terminal==

Can confirm by way of getfile that the uploaded version sticks.

0 Comments

iPhone and iPod touch v1.1.1 full jailbreak tested, confirmed!