Posted by planetbeing on under recovery mode, csts, fashi, boot menu, auto boot, battery voltage, promed, pmu, iphe, nand, iboot, phe, upshot, opti, aces, gaps, programmers, hackers, variables, banks | 
While I was waiting for CPICH to finish the first bits of the NAND FTL reverse engineering work, I've been trying to fill in some of the gaps we had in other places, such as the PMU. As promised, there is also now an easy way to install openiboot onto the iPhone. This is great because it will eventually lead to an even leaner and easier QuickPwn in the future.
One of the annoying parts about iBoot in recovery mode is that the thing refuses to charge the iPhone while sitting in recovery mode. The battery just eventually entirely drains. With the new PMU code, openiboot now recharges the battery, so programmers using it (read: me) can just have it sit on the console screen indefinitely. You can also do neat things like check the current battery voltage and check the power supply type the phone is charging from.
The "installation code" consists of porting over my knowledge of reading and modifying img3 files from working on the jailbreaks. I was too lazy to port over the entire xpwn framework, but I wrote up a "diet" version that is sufficient to read and modify img3 files in a limited fashion. img3 files are sort of the new native format of the main part of the NOR (just a bunch of img3 files concatenated together). The upshot is that you can load openiboot as an img3 through iBoot (just like sending an iBEC image) and then type "install" at the console and openiboot will be a permanent stage in your bootloader chain. =P
You can, of course, keep booting up to the iPhone OS as you always do by selecting the option in the boot menu. Installing openiboot isn't very useful except for hackers wanting to hack openiboot.
I also figured out how to parse and modify the NVRAM banks (storing environment variables like "auto-boot", etc.), which was actually pointless complicated (in my opinion). They have two banks consisting of a bunch of partitions with these headers that Apple uses a pointless one-byte custom checksum on. The entire bank is also checksumed with adler32. When NVRAM is modified, the oldest bank is overwritten with the data and becomes the newest bank (which is tracked by an epoch number on each bank). This is so if one bank becomes corrupted, the other can be used as a backup. However, NVRAM hardly contains anything high value so the value of all this trouble is doubtful. Being able to write to NVRAM, though, makes it possible to set auto-boot on and off within openiboot so that we can easily control whether or not to enter iBoot's recovery mode.
Someone asked me how "safe" it was to do the installation, etc. Well, I've been doing it every time I make an update these days, so it's fairly safe. The worst that can happen in the usual case is that you may be forced into a DFU mode restore. Everything will be undone with a restore. Early on, I did have bugs that really screwed things up so that a DFU mode restore was no longer possible, but even that was recoverable. I'll just go over how briefly:
The important thing is to have a backup of the NOR. As I described in a previous posting, it's possible to really screw things up if you erase the SysCfg section of the NOR. If you do that, the iPhone OS will refuse to boot at all since iBoot cannot properly populate the device tree for the kernel. Since restore ramdisks rely on XNU booting, this is Bad News Bears. In addition, the SysCfg section is device specific, so if you do not have a backup, it will be difficult to ever completely recover from erasing it.
Therefore, before you proceed, MAKE A BACKUP OF YOUR NOR. openiboot can do this for you (and subsequently restore your backup if things go wrong).
Load openiboot via loadibec and select the console. Connect with the oibc client. Type in: nor_read 0x09000000 0x0 0x100000
This will read all of NOR into memory. Then type: ~nordump.bin:0x100000
This will transfer the dump over USB onto your computer and save it as nordump.bin.
Supposing you filled the entire NOR with garbage somehow and are unable to boot. You have to get into openiboot to restore the NOR. The problem is that openiboot is only designed to operate in a post-LLB or post-Recovery Mode context, so it cannot be directly booted from DFU mode. Basically, you've got to load a pwned WTF, then a pwned iBSS, and then a pwned iBEC (all of which is available from a custom IPSW). After that, you can use loadibec to load openiboot. Then, you can restore the NOR thus:
!nordump.bin
nor_write 0x09000000 0x0 0x100000
After that, you can reboot and everything should be normal.
Also, I received a few responses for people volunteering to do the art. I'm not sure what the best thing would be, since I don't want anyone putting in effort for nothing, but we do want the best possible results. So, I'll be getting back to you guys about that.
Tagi: recovery mode, csts, fashi, boot menu, auto boot, battery voltage, promed, pmu, iphe, nand, iboot, phe, upshot, opti, aces, gaps, programmers, hackers, variables, banks
Posted by planetbeing on under grunt work, community style, boot menu, heart of the problem, optis, pixel data, collaborative community, geometries, e mail, gradients, opti, data structures, peek, proposals, peoe, proposal, linux, blog |
I think the best way to handle this is for anyone interested to submit a proposal via e-mail to me about the boot menu. Then, I can put up the pictures on the blog for people to comment and have an opinion about. We can then figure out which one to use or maybe some combination of proposals or in any case, figure it out in a collaborative community style process.
I don't really have an opinion on what the logo should look like, whether it should be cartoony or not. I only think it should look good. =P
There are very few technical constraints on the boot menu. I'm willing to figure out whatever technical solution there needs be in order to get things to display properly. One thing to keep in mind is that space on the NOR is at a significant premium, and raw pixel data is expensive but procedurally generated stuff like gradients are possible. The only two current menu options are the iPhone OS and the openiboot console, but eventually a Linux option will be added. I can try animation as well, but again, you'd have to have an idea of how it can be done without using up a lot of NOR space.
But yeah, make us pretty!
Some progress on the NAND: Thanks to a huge amount of initial grunt work by CPICH, the NAND project is off the ground. We already have enough to get the proper drive geometries, and I've written and tested the DMA routines that are near the heart of the problem today. Hopefully, we can dump the raw NAND soon and take a peek at what kind of wear leveling data structures we're dealing with.
Tagi: grunt work, community style, boot menu, heart of the problem, optis, pixel data, collaborative community, geometries, e mail, gradients, opti, data structures, peek, proposals, peoe, proposal, linux, blog
Posted by planetbeing on under command line mode, development snapshot, clock frequency, clock speed, lcd driver, coue, boot menu, ipod touch, binary search, current development, would make sense, framebuffer, text mode, opti, weirdness, layman, iphe, desktop computer, iboot, butts |
After a huge amount of effort and in-situ experimentation with iBoot (basically a binary massive binary search through the code, disabling some functions to see if I could figure out why my LCD driver wasn't working properly), I managed to get it fully working. The problem was two-fold: first, I forgot to write the first and last bytes of my gamma tables: oops, but easily fixed. The second problem was that apparently iBoot changes the SDIV of the clock in the middle of the initialization process. I'm not even sure yet how many devices the change in clock frequency affects. It certainly affected the LCD, because before there was all sorts of flickering scanline weirdness as one would expect from a misconfigured clock.
Anyway, I reversed the routine that changed the SDIV and implemented it. Seems to work fine now. It's been ages since I looked into the clock speed stuff (pretty much right when I first started this) so I can't say for certain, but I'm pretty sure doing this increases the clock speed (which would make sense).
The LCD driver worked after those fixes and I went onto write a simple framebuffer in a couple of hours, so we can finally get text-mode output on the iPhone screen. It was pretty important to me to get the screen working because even if we can boot a kernel, I wanted the layman to feel like a full-fledged OS was running on the device, and that means display and I/O of some sort.
For a final hurrah, I also wrote some code that lets us detect when the physical buttons (Home, Hold, etc.) were being pressed down. From these pieces, it will be possible to construct a graphical boot menu controlled by those buttons. You could have one option to boot into the iPhone OS, and one option to go into openiboot command-line mode with that text-mode display.
The photo I posted is the current development snapshot running on a first generation iPhone, with oibc (openiboot client) connected and running on my desktop computer. If you have a 2G iPhone or a first-gen iPod touch, you can try it out yourself by checking out the code from
Github and compiling it (It's only designed to be built on a Linux machine. You'll be missing some Linux headers otherwise). I wrote some basic notes on how to get it running inside the source tree, but this is not something you're expected to work with unless you're a fairly experience programmer yourself.
Tagi: command line mode, development snapshot, clock frequency, clock speed, lcd driver, coue, boot menu, ipod touch, binary search, current development, would make sense, framebuffer, text mode, opti, weirdness, layman, iphe, desktop computer, iboot, butts
Posted by on under accent design, homestaging, opti, vamp, makeover, budget |
When it comes to a more budget conscious, yet highly effective means to re-vamp a home and entice potential buyers, home-staging is a fantastic option. As we will see with this month’s Makeover, Accent on Design Inc. re-styled several utilitarian rooms and transformed them into inviting and luxurious spaces certain to lure hungry home [...]
Tagi: accent design, homestaging, opti, vamp, makeover, budget
Posted by Chris on under iphe, google, unfortunate truth, incoming text, exchange emails, passcode, coue, locati, voice recordings, phe, opti, text messages, intruders, facet, webcast, thieves, excerpt, peoe, locks, apps |
Have you noticed the iPhone gradually embedding itself into every facet of your life? Personally, I use my iPhone to:
- plan out my days
- track my personal budget
- exchange emails, phone calls, text messages, photos, videos, voice recordings, etc., with anyone
- broadcast my location via Google Latitude and other location sharing services
Yet considering how much we use the iPhone to map out our personal lives, the unfortunate truth is that Apple’s iPhone is weak on privacy.
Some Improvements
Yes, Apple has addressed a couple of our privacy concerns with the iPhone.
- You now have the option to turn off SMS preview, a feature that displays an excerpt of incoming text messages, causing potentially humiliating situations.
- Also, you can now delete individual text messages on iPhone, whereas originally your only choice was to delete all messages from any given contact.
Top 6 iPhone Privacy Issues
While the above are certainly improvements, there is still a lot left to be desired in terms of privacy on the iPhone. Below are 6 iPhone privacy issues that you may not be aware of, but should be. Give them a look and decide whether it is still worth it for you to own or buy an iPhone.
Consider:
iPhone’s Passcode Lock can be hacked. In September of 2008, Jonathan Zdziarski broadcast a webcast showing the world how to hack into an iPhone that is guarded by a Passcode Lock (which you can toggle in Settings >> General >> Passcode Lock).
The webcast on how to break a Passcode Lock was intended in part for law enforcement officers, but it can also teach thieves how to mine the data from iPhones they have stolen. If you have information in your iPhone that you consider absolutely private, you should know that intruders can easily crack your iPhone’s Passcode Lock.
Besides the Passcode Lock preventing people from entering your iPhone, individual apps from the App Store sometimes have Passcode Locks, like the Balance app, which I use to track my budget.
iPhone stores screenshots of your activities. To produce that shrinking effect that happens to your window whenever you press the home button, your iPhone takes a picture of your screen. It stores a copy of the most recent screenshot and then supposedly deletes it. But according to Wired, “anyone who understands data is aware that in most cases, deletion does not permanently remove files from a storage device. Therefore, forensics experts have used this security flaw to gather evidence against criminals convicted of rape, murder or drug deals, Zdziarski said.”
The knowledge on how to dig up the screenshots from someone’s iPhone can certainly be used by law enforcement in the interests of society, but intruders with malicious intent can see your activity just as easily.
- AT&T does not protect your privacy. The sole authorized iPhone carrier in the United States assisted the National Security Agency in its illegal wiretapping scheme and was granted immunity from prosecution after the scandal was exposed.
Yes, many mobile phones other than iPhone run on AT&T, but with iPhone you are transmitting much more personal data than you would on a more basic phone. If you’re an iPhone user in the US, it’s worth considering that AT&T cooperated with the NSA’s widespread wiretapping… some AT&T customers have left because of it.
- iPhone embeds your location into photos. By default, photos you take on an iPhone 3G or 3G S are “geotagged” with the location where they were taken. Your latitude and longitude are recorded in your photos’ EXIF data based on a signal from iPhone’s GPS or possibly from cellular and WiFi triangulation.
My iPhone 3G used to ask me if it could use my “Current Location” when I would turn on the camera. Now my 3G S geotags my photos by default. To change how the iPhone uses your location, go to Settings >> General and toggle Location Services.
- iPhone doesn’t let you lock down individual apps. Although the iPhone’s Passcode Lock can be hacked, as mentioned above, it would still be nice to be able to set a Passcode for just certain apps, like Messages, Email, and Notes, for example.
iPhone has no option to hide the names of people who send you text messages. This concern was noted in the comments of my post How Has iPhone’s SMS Preview Gotten You Into Trouble?. There’s a big debate in that thread about whether people who care about text message privacy are just a bunch of adulterers, but I tend to believe people’s privacy motivations are their own business and if you want the option to hide names of text message senders, you should have it.
Worried About Your Privacy on iPhone?
There’s no question Apple needs to increase security on the iPhone. Some of these privacy issues require taking a hard look at the iPhone’s core software, but others are options that could simply be added to iPhone’s Restrictions in Settings >> General >> Restrictions.
What do you think? What are your privacy concerns about the iPhone? Please sound off in the comments and tell Apple why you want the iPhone to be more secure.
Tagi: iphe, google, unfortunate truth, incoming text, exchange emails, passcode, coue, locati, voice recordings, phe, opti, text messages, intruders, facet, webcast, thieves, excerpt, peoe, locks, apps
