Posted by George Hotz on under bootloader, nck, wrg, ipsf, brute force, chunk, firmware, algorithm, vector, hack, boots, pers, spy | 
I don't see it happening anytime soon.
The old exploits aren't there anymore. The hope would be finding an exploit in the new baseband code itself to run a large chunk of code. But I think the bootloader is pretty well locked down.
First of all, downgrading the bootloader from software is out of the question. The bootrom exploit runs before the current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So after the bootloader runs, the bootloader can't be touched.
Secondly, the only secpack that validates on 4.6 is >= 1.1.3 They made a change to the format of the secpack so the older ones don't validate. So if we looked for an exploit in the baseband itself, it would have to be on post 1.1.2
Firmware is written as it is uploaded, and this is what IPSF and AnySim take advantage of. The old bootloader just relied on waiting for the sig to verify before writing the first 0x400 bytes, which contain the start vector. The new bootloader also needs the "secpack" in 0x3c0000 to not verify. So we would have to find an exploit which can write the first 0x400 and erase 0x3c0000.
The IPSF unlock itself uses an RSA hack in bootloader 3.9 This has been thoroughly patched in 4.6
Also even if we found a way to brute force the NCK's in reasonable time, we can't get the information to do the brute force off 4.6 The only hope here is to find the Apple algorithm used to generate the NCK. I don't think this is possible, unless we have a spy in Apple :)
I hope I am wrong, and some clever person will come along with a software unlock.
Tagi: bootloader, nck, wrg, ipsf, brute force, chunk, firmware, algorithm, vector, hack, boots, pers, spy
Posted by planetbeing on under cpu caches, memory address, lcd driver, command processor, power c, static methods, wrg, address range, mmu, syrah, bgcolor, iboot, ibec, prob, typo, queue, gamma, ace, bugs, clock |
I had a lot of trouble getting the LCD driver to work. Everything seems to be fine except that when I try to write to the memory address range reserved for the LCD's gamma tables, it doesn't register. It's as if some clock or some device hadn't gotten turned on or something. Therefore, after loading openiboot from iBoot, the screen gets all screwed up.
However, if you load iBEC from iBoot, the screen doesn't get screwed up: you can still use bgcolor and everything works. I thought that meant at first there was something wrong with my LCD init code. I spent a frustrating day carefully auditing it for errors, and I did find two bugs that I fixed, but unfortunately it did not have any effect on the main problem. I got as far as I could with static methods so I decided to perform a series of experiments.
First, I had some trouble chainloading iBoot and iBEC from openiboot. There was a series of fails that I fixed along the way: trouble with USB send (just a silly typo in the client), trouble getting the resulting thing to execute in memory (you've gotta turn off the CPU caches, disable MMU and interrupts for it to work properly. It also can't be run as part of an ISR because, well, iBoot expects to be able to receive interrupts, so I had to move the command processor onto the main thread and just have the ISR queue up commands for the main thread to process). Anyway, those were eventually fixed.
My experiments showed that after openiboot did its inits, chainloaded iBoot and iBEC was unable to reinit the LCD properly (they had the same problem). I narrowed the problem down to the place in power.c where I "turn off" the LCD controller. This happened in the 114 iBoot, so I thought it was necessary. Analyzing the newer 2.x iBoots, that routine was actually removed. Since I am reasonably confident that my syrah_init is functionally identical to their merlot_init and this that power init that when present, causes LCD init to fail in all cases and when absent, allows LCD init to succeed in all cases, I'm pretty sure that's the problem.
So I went ahead and removed it. This may or may not mean I am actually depending on the iBoot that I chainloaded openiboot from for the LCD init. We'll see after I try to replace iBoot entirely in the bootchain.
Anyway, USB is solid as a rock now seemingly and chainloading seems to be working quite well. I'm actually able to load iBoot from NOR, patch it in memory, and then execute it from openiboot. This probably means I'm ready to try flashing the thing again.
Then we'll see how well it truly works.
Tagi: cpu caches, memory address, lcd driver, command processor, power c, static methods, wrg, address range, mmu, syrah, bgcolor, iboot, ibec, prob, typo, queue, gamma, ace, bugs, clock
Posted by on under joey hess, locati, physical path, wrg, path info, eula, shenanigans, phe, no doubt, case in point, waitress, waiter, spyware, sql, palm, bas |
Last week, Joey Hess revealed that the Palm Pre running on WebOS uploads very specific information about your location and application usage to Palm on a daily basis. Although it’s allowed by the EULA that you must accept to use the Palm Pre, it still seems a little…creepy, especially if used for the wrong reasons. The only “bright” side to this story is that it was for the Palm Pre, not for the iPhone. Apple has been in the news a lot lately for its AppStore shenanigans, but at least they don’t go so far as to track your location. Right?
Well, sort of. Although we have yet to find an application by Apple that tracks your location, there are certainly a number of “free” applications in the official AppStore that are designed to do just that. Case in point: there’s this rather cute/gimicky app that lets you determine the tip for your waiter or waitress by tilting your phone as you pass it around the restaurant table. But if you dig a little deeper (like bushing did) you’ll find it uses a library by Pinch Media that is specifically designed to track your geographical location through time, then upload that data to Pinch Media. (Oh and it also show you an ad, as an extra bonus).
Being an approved app, it must first ask you for permission to use your location. If you tap “Don’t Allow”, it will ask you again in about a minute, the next time its ad changes. So you either stop using this app (because it pesters you so much about the location question), or you finally submit and tap “OK”. From that point on, your location and path info (your actual physical path through your area each time you launch the app) belongs to Pinch Media, Inc. We think that’s a Pinch too much.
Update: A commenter named fusen pointed out this post by 0th3lo. who details Pinch Media’s SQL info (it includes your gender and birthday, when possible) and goes so far as to say “no doubt, ANY pinchmedia iPhone application is spyware”. Maybe it’s time to pressure Apple to boot Pinch Media apps from the AppStore?
Update: Pinch Media have blogged about the data collected by their analytics library here.
Update: Jailbroken users are now at a distinct advantage when it comes to data tracking. saurik has worked with Pinch Media and some other data trackers to develop an “opt-out” feature for data collection! It’s called PrivaCy and is now available via Cydia!
Tagi: joey hess, locati, physical path, wrg, path info, eula, shenanigans, phe, no doubt, case in point, waitress, waiter, spyware, sql, palm, bas
Posted by blogs@bobvila.com (Ben) on under chlorine dioxide, sulfur compounds, wrg, drywall, sabre, embarrassment, china |
It might be too late to spare China's embarrassment over the contaminated drywall mess, but apparently it isn't too late to right their wrong. That's what Sabre Technical Services is doing, with their chlorine dioxide decontamination process which -- once injected into the tainted drywall -- renders the problematic reduced sulfur compounds inert. The company claims that the process requires homeowners to vacate their home for less than a week and costs less than the "rip and ...
Tagi: chlorine dioxide, sulfur compounds, wrg, drywall, sabre, embarrassment, china
Posted by on under bizarre moments, wrg, heavy dose, sci fi, wild ride, fringe, science |
Fringe has been a wild ride so far. Like any good sci-fi show, it plays with impossibilities and takes us to the land of "What If?" But the show also gives us a heavy dose of science gone wrong, and when things go bad in the Fringe world, truly freaky events occur...
Tagi: bizarre moments, wrg, heavy dose, sci fi, wild ride, fringe, science
