These instructions are deprecated - it's much easier to download iBrickr and just use the Ringtones interface.
I worked my eyes bloody today crawling through disassembly to help ziel port his Jailbreak program to Windows, and today we can announce that we have succeeded! All the iPhone users running Windows can now put custom ringtones and sounds onto their iPhones.
IMPORTANT NEWS: The iPhone software update 1.0.1 makes these instructions invalid. You STILL need to acquire the old 1.0.0 software package for Jailbreak to still work. Apple will surely have stopped distributing the package by now so I will see what I can do to get Jailbreak working on the new package. Watch for updates!
If you have a Mac, check out the Mac instructions over at Hack the iPhone.
The old exploits aren't there anymore. The hope would be finding an exploit in the new baseband code itself to run a large chunk of code. But I think the bootloader is pretty well locked down.
First of all, downgrading the bootloader from software is out of the question. The bootrom exploit runs before the current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So after the bootloader runs, the bootloader can't be touched.
Secondly, the only secpack that validates on 4.6 is >= 1.1.3 They made a change to the format of the secpack so the older ones don't validate. So if we looked for an exploit in the baseband itself, it would have to be on post 1.1.2
Firmware is written as it is uploaded, and this is what IPSF and AnySim take advantage of. The old bootloader just relied on waiting for the sig to verify before writing the first 0x400 bytes, which contain the start vector. The new bootloader also needs the "secpack" in 0x3c0000 to not verify. So we would have to find an exploit which can write the first 0x400 and erase 0x3c0000.
The IPSF unlock itself uses an RSA hack in bootloader 3.9 This has been thoroughly patched in 4.6
Also even if we found a way to brute force the NCK's in reasonable time, we can't get the information to do the brute force off 4.6 The only hope here is to find the Apple algorithm used to generate the NCK. I don't think this is possible, unless we have a spy in Apple :)
I hope I am wrong, and some clever person will come along with a software unlock.
Tagi: bootloader, nck, wrg, ipsf, brute force, chunk, firmware, algorithm, vector, hack, boots, pers, spy
Note (9/12): there is an application in the iBrickr PXL repository called 'Balls' which links to this page. I have nothing to do with that app; it was created by Grudgnor over at the MacRumors forum.
Those who have followed this blog will know that I like to like to play with unusual input methods (see my earlier posts on , ambient light sensors, and the SmackBook).
As it turns out, the iPhone has a built-in LIS302DL, a tiny 3-axis accelerometer. While some have attempted to use it from within the Safari browser (the Tilt game detects changes to the width of the browser page; it is basically used as a 1-bit input device), its potential is still somewhat untapped.
After a rather lengthy bout of reverse-engineering (I had barely touched ARM assembly before this), I finally figured out how to access the raw data from the accelerometer itself, as can be seen in the video above. Source code will be posted as soon as possibleis posted here. (update: yes, it is possible to access the accelerometer directly through UIKit without this hack -- however, you'll be locked to the default sample rate, which is too slow for some of the fun stuff)
The IPSF exploit still works in the 1.1.3 baseband, and now that we know Apple doesn't update the bootloader it appears to be safe to use. IPSF works using the RSA padding hack in bootloader 3.9, so as long as the bootloader is 3.9, I can't see it breaking. Here is reference code I wrote to do the IPSF unlock a while ago. With a few mods, elite can turn their virginizer into an IPSF unlocker. I wouldn't bother with the AnySim patches anymore, they are lost after every restore, and need to be modified for each version of the baseband. Be warned though, back up your seczone before IPSF unlocking. IPSF erases your NCK token. Also I was playing around with writing linux drivers, and I figured I'd start one for the iPhone. Here is what I have so far, it only works in recovery mode. You can echo iBoot commands to /proc/iphone/cmd
Tagi: iphe, linux drivers, recovery mode, bootloader, baseband, ipsf, padding, cmd, token, hack, patches, elite, linux
Post beta 4, the ramdisk hack stopped working. Sorry Zibri, guess you'll have to steal another exploit. They also changed the recovery mode USB protocol to use the control endpoint to send commands.
The possiblity of unlocking, which is very distinct from jailbreaking, is based entirely on the baseband bootloader. Apple doesn't appear to upgrade the bootloader on phones in the field, probably for fear of bricks. So any old iPhones out there today, regardless of version, can be unlocked.
The iPhone 3G uses a different bootloader, which I believe there aren't any known exploits in yet. So no unlock.
There is a known exploit in iBoot, on both the old and 3G iPhones. The "the specific date/time is not firm yet" pwnage tool will leverage it to jailbreak all 2.0 software iPhones, 3G and otherwise. Dev team, that date better be soon or I might just have to release yiPhone. The iBoot exploit is yours, use it. You wouldn't want a repeat of ZiPhone now...
Tagi: gizmodo, phes, recovery mode, iphone, possiblity, iboot, endpoint, dev team, 3g, bricks, date time, hack, protocol, fear, beta, truth
