Free Soft

The IPSF exploit still works in the 1.1.3 baseband, and now that we know Apple doesn't update the bootloader it appears to be safe to use. IPSF works using the RSA padding hack in bootloader 3.9, so as long as the bootloader is 3.9, I can't see it breaking. Here is reference code I wrote to do the IPSF unlock a while ago. With a few mods, elite can turn their virginizer into an IPSF unlocker. I wouldn't bother with the AnySim patches anymore, they are lost after every restore, and need to be modified for each version of the baseband. Be warned though, back up your seczone before IPSF unlocking. IPSF erases your NCK token.
Also I was playing around with writing linux drivers, and I figured I'd start one for the iPhone. Here is what I have so far, it only works in recovery mode. You can echo iBoot commands to /proc/iphone/cmd

Tagi: iphe, linux drivers, recovery mode, bootloader, baseband, ipsf, padding, cmd, token, hack, patches, elite, linux

OMG Updated to be more idiot proof and the winner of the 11246unlock contest.

Full software unlock of 1.1.2; the impossible(or at least I said so) Here it is; instructions are in the package. I guess I really am becoming a good reverser ;-)

ZiPhone is a conglomerate of others work. It copies a new fstab for write access to system, runs iPatcher to patch lockdownd, copies installer, and runs my gunlock to unlock. It is a good way to restore from most problems, and true jailbreak 1.1.3 My program is just patched to change the default IMEI(0049) to the user entered IMEI; although I would strongly advise against changing your IMEI. The exploit he uses runs an unsigned ramdisk with all these programs. This is the best way to jailbreak; and I had been imagining this for a long time, I just didn't have the exploit. This ramdisk exploit was stolen from the dev team, so be careful who you give credit to.

Yes, the impossible has been done. This has absolutely *nothing* to do with JerrySim or any elite/dev/zibri etc project. I'll start with a little story. Yesterday I was really pissed off. So I figured I'd channel my anger toward something productive; I don't know, something like a 1.1.2 software unlock. I knew the odds were against me, but I'd figured I try anyway. At about 1 last night, I hardware "upgraded" a 3.9 phone to 4.6 with the bootrom locations blank, the read command patched to work, and a 0x102 read arbitrary memory command.

The first exploit I found, at around 4 AM last night, was the -0x20000 exploit. Just like the -0x400 exploit, but -0x20000. Go figure. I guess Apple thought big numbers were harder to guess. I was really pumped, hence the blog post. But that wasn't even half the battle.

Like I said in the "impossible" post, 0x3C0000 can't have a valid secpack to allow booting. I spent the next 16 hours finding a way to do this. I can already write unsigned to the main fw section, all I need is a way to erase the secpack. My first idea was the eeprom secpack; upload the eeprom, endpack it, and the secpack is erased because the eeprom is "clean". But you can't upload a eeprom secpack until the 0x3C0000 is blank. My next idea was that the bl must erase the secpack before writing it. So a simple timing attack should do it. It turns out that no secpacks, even the same one, will write.

I finally found a working exploit about 23 hours into my search for the software unlock. The explicit addresses 0xA03D0000-0xA03F0000 will always erase. This exploit relied on two things, the secaddrs are copied before the secpack is validated(stupid), and the erase command extends the range to whatever is in the secpack. So I tell it to erase 0xA03D0000-0xA03F0000, the erase command sees 0xA03C0000 to 0xA03F0000 in the secpack; BOOM secpack erased.

The third minor concern was the full range check of 1.1.3. So use 1.1.2 :) This allows full unsigned code execution, it is a relatively simple matter of patching the bootloader to skip the range check. And while you are at it, patch the bootloader to validate all tokens. IPSF style unlock w/o touching the seczone.

So, thats 24hrs to a software unlock; with about 3hrs of sleep in two segments. I am disappointed in the elite/dev team for not finding this; or even looking here. I know not everyone in elite/dev is so closed, and I feel bad for those people. Why don't we all just share everything? Apple will patch it anyway. They always have the upper hand. And whetever happened to the dev wiki?

If you were giving money to the "dev team" for this software unlock, why not give it to the guy who actually found the exploits and exploited them?

Tagi: bootrom, gunlock, reverser, half the battle, fstab, big numbers, finding a way, full software, phe, dev team, fw, anger, odds, elite, idiot proof, memory

So now that the iPhone 1.1.3 new features are widely known, check out this video of the home-screen rearrangement. The wiggly icons are super cool:

Read the rest of this post

Tagi: rearrangement, iphone, new features, home screen

I wonder why I am the one accused of stealing
and then NOBODY gives me the credit for what I have done.

The only 2 things I did in the iPhone scene
were to DUMP THE 837 KEY and booting from an unsigned ramdisk.
(nobody even understood what it was when
I posted it on my blog).

Now the so called "dev team" released their tool
and I see no mention of that.

George Hotz wrote a code based on dev team tool
to "execute unsigned code at dfu level"...

Look at the start of the code:

const unsigned char key837[]={0x18,0x84,0x58,0xA6,0xD1,0x50,0x34,0xDF,0xE3,0x86,0xF2,0x3B,0x61,0xD4,0x37,0x74};

That is the key I dumped.
Without it NO TOOL could ever be possible.

That's why I called it a "major breakthru" at that time.

That key also made it possible to decrypt the ramdisk and
create a custom one.

Now if you remember I have always credited people
(george hotz for his unlock based on gray's work and
many members of iphone-elite that now are calling
themselves "dev team").

Now I won't say anyone stole anything.
But these are the FACTS.

Dev team did an impressive team work this time
and even if I don't personally like the tool I see
no other way to do things on 2.0.
(If I'll see one I'll tell you) :)

The same people accusing me
of "stealing" didn't EVER credit me for what
I've done.

And I repeat for who wasn't
reading at that time:
no ZiPhone (iLiberty/iPlus) could
ever be existed without the ramdisk
exploit I found and
no "pwns" without the 837 key.

Zibri.

Tagi: george hotz, team tool, impressive team, unsigned code, breakthru, th time, pwns, menti, peoe, elite, blog

To make things more simple, here are Mac and PC guides for downgrading.

PC: http://code.google.com/p/iphone-elite/wiki/DowngradeBasebandWin

Mac: http://code.google.com/p/iphone-elite/wiki/DowngradeBasebandMac

Tagi: iphe, google, sime, wiki, elite