Posted by planetbeing on under th phase, th problem, cpu clock, clock cycle, random moments, bootstrapper, pseudo device, fashi, root filesystem, random data, random processes, iphe, aced, comete, iboot, own software, safe way, porti, copyright laws, qa | 
SimilaritiesJailbreakBoth utilities jailbreak.
Payload mediumPrimary jailbreak payload is placed into iPhone memory for both jailbreaks
DifferencesTechniqueZiPhone uses, as the root filesystem device, a pseudo-device that provides a window to an arbitrary section of memory. This memory is not allocated or otherwise reserved by the operating system and hence will be used by other random processes in other random ways and will become more and more corrupted with every CPU clock cycle. The only safe way to use this is to mlock all memory used by the jailbreak binary as soon as possible, and then use data previously uploaded to flash. Anything else will cause either the jailbreak binary to crash at random moments or cause random data to be written to flash. I am not sure why Zibri elected not to implement ZiPhone in a safer fashion.
QuickPwn uses the same mechanism that Apple uses to send its update ramdisk. This memory is both allocated and reserved. It will not crash at random moments, or give you repeating BSD root errors. This is the way the XNU kernel is designed to use ramdisks.
LongevityZiPhone hinges on a BUG in iBoot that was quickly fixed by Apple.
QuickPwn uses an iBoot FEATURE that Apple cannot remove without rewriting their own software and undergoing lengthy QA. Even if Apple did change the architecture, it would be straight-forward to simply mimic what they do and adapt to it. The reason QuickPwn can do this is because it relies on a hardware exploit to bootstrap into this phase. Apple cannot fix this problem without changing the manufactured hardware.
EleganceZiPhone modifies an existing Apple ramdisk and ships it as a complete set.
QuickPwn contains all-original code and features a very tiny bootstrapper that allows it to use libraries and code that's already on the iPhone.
Not only does ZiPhone's distribution of Apple's binaries violate copyright laws, it also takes up a large portion of room on the ramdisk that could be used for the payload. Keeping its existing algorithm, ZiPhone would never have been able to install Cydia, for example. The maximum feasible ramdisk size is 32 MB; Cydia takes 13 and Apple's library take up a significant amount. With some work, Zibri could possibly make it just under the 32 MB limit, but with the large number of files in Cydia, and the large size of the corruptible area of memory, corruption would be inevitable.
Some history / A personal noteZibri claims to have "invented the ramdisk jailbreak". Even if this were true, it would have as much relevance to QuickPwn as the 1.0.2 jailbreak does: The techniques used are entirely dissimilar. Not a single step in the process is the same.
However, this is not even true. Before Zibri left, we already had a prototype ramdisk jailbreak in our SVN (which Zibri later leaked parts of). It was written by myself and stored under the very obvious name of "ramdisk-jb" and it contained a modified version of a launchd written by Turbo (who should be considered the father of the ramdisk payload). It basically untarred a SSH installation onto the rootfs. It was rudimentary, and required a lot of work to get up to production standards.
While it's obvious that Zibri has picked every bone of that SVN repository clean, I am puzzled why he did not learn from that example source code. It had mlock and it was written in proper C, unlike the rather make-do replacement of launchd with sh. Perhaps he did not understand the code.
A week before his release, we became aware that Zibri was going to write a ramdisk exploit. We considered racing him to it, but we were constrained by the fact that we had already publicized one working method of jailbreaking: The oft-loathed 1.1.3 soft-jailbreak, which we considered perfectly acceptable until the release of the SDK (we were not aware at the time the SDK release would take so long). In addition, 1.1.3 was a minor update and there was no reason people could not stay on 1.1.2 for awhile longer. The issue is that while a ramdisk jailbreak would certainly be easier and better, we would be burning this great exploit that allowed us to reliably decrypt ramdisks (which we had no other way of doing at the time).
Therefore, we chose not to build our own implementation and instead pursue Pwnage, a longer term project. It was ironic months later that Zibri came to flame us out about releasing the dual-boot method, accusing us of burning the exploit. It was amusing because it was so much lower value than the ramdisk exploit, which he was responsible for burning and really had no future prospects because of pwnagetool.
We are aware that the dual-boot method was the last remaining bit of non-public knowledge from our SVN that he had, and my belief was that the flame was caused by his soreness at losing his last chance at remaining relevant after the pmd ("ramdisk") vulnerability was patched.
Tagi: th phase, th problem, cpu clock, clock cycle, random moments, bootstrapper, pseudo device, fashi, root filesystem, random data, random processes, iphe, aced, comete, iboot, own software, safe way, porti, copyright laws, qa
Posted by planetbeing on under recovery mode, csts, fashi, boot menu, auto boot, battery voltage, promed, pmu, iphe, nand, iboot, phe, upshot, opti, aces, gaps, programmers, hackers, variables, banks |
While I was waiting for CPICH to finish the first bits of the NAND FTL reverse engineering work, I've been trying to fill in some of the gaps we had in other places, such as the PMU. As promised, there is also now an easy way to install openiboot onto the iPhone. This is great because it will eventually lead to an even leaner and easier QuickPwn in the future.
One of the annoying parts about iBoot in recovery mode is that the thing refuses to charge the iPhone while sitting in recovery mode. The battery just eventually entirely drains. With the new PMU code, openiboot now recharges the battery, so programmers using it (read: me) can just have it sit on the console screen indefinitely. You can also do neat things like check the current battery voltage and check the power supply type the phone is charging from.
The "installation code" consists of porting over my knowledge of reading and modifying img3 files from working on the jailbreaks. I was too lazy to port over the entire xpwn framework, but I wrote up a "diet" version that is sufficient to read and modify img3 files in a limited fashion. img3 files are sort of the new native format of the main part of the NOR (just a bunch of img3 files concatenated together). The upshot is that you can load openiboot as an img3 through iBoot (just like sending an iBEC image) and then type "install" at the console and openiboot will be a permanent stage in your bootloader chain. =P
You can, of course, keep booting up to the iPhone OS as you always do by selecting the option in the boot menu. Installing openiboot isn't very useful except for hackers wanting to hack openiboot.
I also figured out how to parse and modify the NVRAM banks (storing environment variables like "auto-boot", etc.), which was actually pointless complicated (in my opinion). They have two banks consisting of a bunch of partitions with these headers that Apple uses a pointless one-byte custom checksum on. The entire bank is also checksumed with adler32. When NVRAM is modified, the oldest bank is overwritten with the data and becomes the newest bank (which is tracked by an epoch number on each bank). This is so if one bank becomes corrupted, the other can be used as a backup. However, NVRAM hardly contains anything high value so the value of all this trouble is doubtful. Being able to write to NVRAM, though, makes it possible to set auto-boot on and off within openiboot so that we can easily control whether or not to enter iBoot's recovery mode.
Someone asked me how "safe" it was to do the installation, etc. Well, I've been doing it every time I make an update these days, so it's fairly safe. The worst that can happen in the usual case is that you may be forced into a DFU mode restore. Everything will be undone with a restore. Early on, I did have bugs that really screwed things up so that a DFU mode restore was no longer possible, but even that was recoverable. I'll just go over how briefly:
The important thing is to have a backup of the NOR. As I described in a previous posting, it's possible to really screw things up if you erase the SysCfg section of the NOR. If you do that, the iPhone OS will refuse to boot at all since iBoot cannot properly populate the device tree for the kernel. Since restore ramdisks rely on XNU booting, this is Bad News Bears. In addition, the SysCfg section is device specific, so if you do not have a backup, it will be difficult to ever completely recover from erasing it.
Therefore, before you proceed, MAKE A BACKUP OF YOUR NOR. openiboot can do this for you (and subsequently restore your backup if things go wrong).
Load openiboot via loadibec and select the console. Connect with the oibc client. Type in: nor_read 0x09000000 0x0 0x100000
This will read all of NOR into memory. Then type: ~nordump.bin:0x100000
This will transfer the dump over USB onto your computer and save it as nordump.bin.
Supposing you filled the entire NOR with garbage somehow and are unable to boot. You have to get into openiboot to restore the NOR. The problem is that openiboot is only designed to operate in a post-LLB or post-Recovery Mode context, so it cannot be directly booted from DFU mode. Basically, you've got to load a pwned WTF, then a pwned iBSS, and then a pwned iBEC (all of which is available from a custom IPSW). After that, you can use loadibec to load openiboot. Then, you can restore the NOR thus:
!nordump.bin
nor_write 0x09000000 0x0 0x100000
After that, you can reboot and everything should be normal.
Also, I received a few responses for people volunteering to do the art. I'm not sure what the best thing would be, since I don't want anyone putting in effort for nothing, but we do want the best possible results. So, I'll be getting back to you guys about that.
Tagi: recovery mode, csts, fashi, boot menu, auto boot, battery voltage, promed, pmu, iphe, nand, iboot, phe, upshot, opti, aces, gaps, programmers, hackers, variables, banks
Posted by on under touchscreen pc, fashi, first model, multitouch screen, half baked, vaio, sy, gestures, tv tuner, hdtv, prototype, sorts, sony, heart |
Hey there Windows 7, we hear you've got some fancy new touch features, huh? Well, Sony's jumping on the ballooning bandwagon of manufacturers with a heart for touchscreen PCs, putting forward its very first model with the all-new L series all-in one. Sony is billing it as part HDTV and part PC (in typical Sony fashion), with Blu-ray playback and what sounds to be a TV tuner tucked underneath, piling up to a $1,300 starting price. Not bad for a 24-inch multitouch screen.
Update: We just went hands-on with the VAIO L and it's got a pretty great touchscreen sensor -- quite responsive and accurate, even in multitouch gestures. Unfortunately, the TouchSmart-style software that Sony's packed in his woefully half-baked. Hopefully what we saw was just an early prototype of sorts, or Sony's got some serious work to to before October 22. Overall the hardware is pretty Sony-ish and minimal, while the glossy display looks pretty brilliant. Pics below.
Continue reading VAIO L is Sony's first touchscreen PC, starts at $1,300
Filed under: Desktops
VAIO L is Sony's first touchscreen PC, starts at $1,300 originally appeared on Engadget on Wed, 07 Oct 2009 18:52:00 EST. Please see our terms for use of feeds.
Permalink |
Email this |
Comments
Tagi: touchscreen pc, fashi, first model, multitouch screen, half baked, vaio, sy, gestures, tv tuner, hdtv, prototype, sorts, sony, heart
Posted by on under judi dench, dianne wiest, steve buscemi, sally potter, forthcoming feature, fashi, flickr, interviewees, female model, new york times, jude law, zoolander, fab, denial, rage |
Above, Jude Law in fab drag. A still from the forthcoming feature Rage, directed by Sally Potter, in which Law plays a female model named "Minx." The short version: A young student uses his phonecam to shoot interviews with the staff of a New York fashion house, and posts them online without the interviewees' knowledge or consent. A runway accident turns into a murder investigation, then, "denial leads to devastation." Here's a New York Times piece about the film, by Guy Trebay. Zoolander it is not. Here's a Flickr set with more stills. You'll spot Steve Buscemi, Judi Dench, John Leguizamo, Dianne Wiest, and Eddie Izzard all in the trailer, which is embedded after the jump....
Tagi: judi dench, dianne wiest, steve buscemi, sally potter, forthcoming feature, fashi, flickr, interviewees, female model, new york times, jude law, zoolander, fab, denial, rage
Posted by on under fashi, interesting products, favorite news, free adobe, technology food, startups, news sites, techcrunch, prominence, news sources, news story, aggregator, subject matter, wine |
While RSS may be
slowly dying, startups are still building interesting products around the stale technology. Launched at
TechCrunch 50's DemoPit,
Fresh Sliced News is a free Adobe Air powered-desktop application that lets you to build a personalized newspaper from your favorite news sources on the web. Once you've downloaded the app, you can create personalized sections on the app such as "Technology," "Food," "Fashion." Within each section Fresh Sliced News lets you pull in the RSS feeds of 140 news sites and blogs. You can also add other RSS feeds manually if you have the feed's URL. Content is automatically added to the app and items are given more visual prominence corresponding to their importance, which is determined two criteria— the level of engagement a news story is receiving on the internet (gauged by
PostRank's technology) and the interests a user has demonstrated in the subject matter of the news on the application. So if I tend to read more news about wine in my "food" section, the articles about wine will be more prominent within the app.
TechCrunch50 Conference 2009: September 14-15, 2009, San Francisco
Tagi: fashi, interesting products, favorite news, free adobe, technology food, startups, news sites, techcrunch, prominence, news sources, news story, aggregator, subject matter, wine
