Subscribe

Get our E-Mail Newsletter:


Lastest posts


The iPhone Hacking Kit, step by step

Sponsored link

iphoneterminal.jpgFor better or worse, Apple designed the iPhone to be a completely closed system. That is, you can’t add new applications to it, and even some seemingly “normal” cell phone features - like the ability to add custom ring tones - are locked up. Or are they?

Thanks to an extremely well-organized group of very talented hackers, you can crack into your iPhone and make all sorts of changes and modifications. The iPhone hacking effort has been a Herculean task, but the progress that’s been made in a reasonably short amount of time is very impressive.

In the month since the iPhone shipped, hackers have released code that allows you to perform all sorts of modifications, from installing custom ringtones, to adding new applications such as a screen capture program, and a Nintendo emulator.

Hacking the iPhone is not a complicated process, but it does take time, usually 30 to 45 minutes, and some special software and bits of code, which we’ve gathered up for you. Best of all, once your phone is hacked, you can very easily install additional third party apps as they’re released. In this article, we’ll walk through all of the steps required to hack your iPhone and install third party applications and options.

(If you want to know the story behind this story, read Christopher Breen’s blog entry at Macworld.com.)

Detailed (and we’re not kidding) instructions after the jump. If you’re faint of heart, begone!

Why should you hack your phone?

Because it's there.

For the most part, there's not a huge reason to hack your iPhone yet. Adding custom ringtones is probably the best reason to do a little iPhone hacking. Capturing screenshots of your iPhone is another good excuse to hack it (you'll see screenshot examples later).

But currently, there's not a "killer app" for iPhone hacking. The Nintendo emulator is cool-looking, but is somewhat unplayable due to the iPhone's lack of real buttons. At this point, the only real reasons to hack your iPhone are:

  • It's fun. You get to learn some stuff about the inside of your phone, and possibly learn some cool Unix stuff along the way.
  • It will make your iPhone look different and unique. Once you have a couple of additional apps on there, other iPhone users will take pause when they see your phone.
  • You'll be prepared for future third-party releases. Once your iPhone is hacked, it's very simple to add additional applications as they become available. Development is proceeding very quickly - the Nintendo emulator was available just a week after the iPhone hacker development tools were posted.

Hacking your iPhone requires an Intel Mac, a set of files and the iPhone Hacking Kit, which you can download here, and some time. Unzip the iPhone Hacking Kit folder and place it on your Desktop. It must be on the Desktop for these instructions to work as they are printed here. Finally, your Mac and iPhone need to be connected to the same Wi-Fi network.

Before we begin, though, we must issue the obligatory warnings: it is theoretically possible to screw up your phone. However, at any time, you can use iTunes to restore your phone to its original state, so you don't have to worry about completely breaking your phone. The worst that will happen is that you'll lose some time. That said, if taking things apart makes you nervous and uncomfortable, then what we're going to do here probably isn't for you.

We'll be performing most of our hacks through the Terminal application on your Mac. Just type carefully and proceed slowly and you'll be fine. And don't worry, a single typo will not trash your whole phone.

What we're going to do

Before we get started, let's take a high-level look at exactly what we mean when we say we're going to "hack the iPhone." Our goal is to open up a communications channel that will let us add new, executable applications to the iPhone. The iPhone is a communications device, so one would think that it would be easy to communicate with it, but because Apple designed it to be unmodifiable, finding a way to talk directly to the phone is not simple.

Yes, the phone has a Wi-Fi connection, a cellular radio, and Bluetooth, but it doesn't actually include any software that can use these features for file transfer, and there's no way to hack into any of those particular connections.

However, it does include a serial port and a cable, and it knows how to talk to iTunes through this connection. This, then, will be the initial method for talking to the iPhone. Thanks to some clever software, we'll begin by breaking the phone out of the "jail" that Apple has put it in.

Jailbreaking works by intercepting the communication that is supposed to happen between the iPhone and iTunes. Once intercepted, a channel is open to the computer's OS, and we can use that channel to install software. However, this channel requires a direct connection to your Mac (through the iPhone's USB cable) and while your phone is "jailbroken" you can't sync. As such, it's not a viable long-term solution for hacking the phone.

So, our first task after the phone has been broken open will be to install an SSH tool. SSH stands for "secure shell" and is a standard Unix tool for issuing commands to any computer that's running Unix. And, since your iPhone is built on an OS X variant, it's a Unix computer.

Next we'll install some additional utilities, including some file transfer utilities, and then finally we'll put the phone back in jail. That is, we'll return it to its normal state that allows it to sync with iTunes through its serial cable. However, with the SSH and file transfer utilities installed on the phone, you'll now be able to talk to the phone from any Mac terminal window via the phone's Wifi connection - just as you can talk to any other Mac or Unix machine this way. We'll use this channel to install a Terminal application and screen shot utility.

Let's get started.

Get out of jail free

In the iPhone Hacking Kit that you downloaded, you should find an installer for iFuntastic. Double-click this installer to install iFuntastic in your Applications folder. This is the program we will use to jailbreak your phone.

Once it's installed, do the following:

1. Reboot your Mac, just to be safe. You don't want iFuntastic crashing during this process.

2. Make sure your iPhone is on, then plug it into your Mac using the usual cable.

3. After iTunes launches, quit it.

4. Double-click iFuntastic to launch it.

5. On the left side of the iFuntastic window there is a button called Prepare. Press it now.

6. Click the Jailbreak button at the bottom of the window.

7. On the next page are six steps. Follow them very closely.

8. If all goes well, you will see this page:
figure2.jpg

If the jailbreak fails, don't panic, just try it again until it works.

9. Now hide iFuntastic by pressing Command-H. We'll be returning to it later.

Your iPhone won't look or function any differently once it's out of jail. The only change is that when you plug it in it won't sync with iTunes. Don't worry, we'll re-jail it when we're finished to get it back to normal.

Now we're ready to exploit our newfound connection to our phone.

Not your average bear

As mentioned earlier, our ultimate goal is to end up with an iPhone that has software on it that can communicate with our Mac via a normal Wifi connection. With the phone jailbroken and tethered to the Mac, we have a communications channel which we will now use to install an SSH application called Dropbear. From here on out we'll be working extensively with the Terminal application, so open it now. By default, it's located in Applications>Utilities.

Once Terminal is launched, you need to change to the iPhone Hacking Kit directory. In terminal type cd followed by a space, and then drag the iPhone Hacking Kit folder into the terminal window. Then press Return. Your terminal window should now say something like:

Your Mac:~/Desktop/iPhone Hacking Kit yourmac$

Located in the iPhone Hacking Kit folder is a copy of iPHUC, the iPhone Utility Client. Run it now by typing

./iPHUC

and then pressing return.

You should see:

>> By The iPhoneDev Team: nightwatch geohot ixtli warren nall mjc operator
initPrivateFunctions: this is still not clean.
Architecture: i386
AMDeviceNotificationSubscribe: 0
CFRunLoop: Waiting for iPhone.
notification: iPhone attached.
AMDeviceConnect: 0
AMDeviceIsPaired: 1
AMDeviceValidatePairing: 0
AMDeviceStartSession: 0
AMDeviceStartService AFC: 0
AFCConnectionOpen: 0
AFCPlatformInit: (no retval)
notification: Entering shell in Normal Mode.
shell: Entering loop.
(iPHUC) /:

We are now in a shell that's talking directly to the iPhone, just like any other type of shell that you might normally run in Terminal. This one, though, knows how to communicate through the jailbreak connection that we've established through the serial cable.

Now we need to make one little change to the phone. Do this by typing:

setafc com.apple.afc2

After pressing return, iPHUC might respond with this error:

InvalidResponse
AMDeviceStartService AFC: -402653165
AFCConnectionOpen: 0

If it does, then quit iPHUC by typing exit, then run iPHUC again by typing ./iPHUC.

Now enter setafc com.apple.afc2 again, and press return. You should now see:

AMDeviceStartService AFC: 0
AFCConnectionOpen: 0

If you see the Invalid Response message, quit iPHUC and try again. When things are working, you should see something to the effect of:

AMDeviceStartService AFC: 0
AFCConnectionOpen: 0

Don't worry about the numbers. In some cases, you might have to actually quit Terminal completely and restart. Keep going until the command completes without the Invalid Response error generating.

To ensure that everything is working properly, type ls and press return. If you're used to using Terminal, you'll recognize ls as the List Directory Contents command, and sure enough, you should see a directory listing:

.
..
Applications
Library
System
bin
cores
dev
etc
iTunes_Control
mach
private
sbin
tmp
usr
var

These are the contents of the iPhone's root directory and as you can see, they look very much like a standard OS X root directory. If you don't see this directory, quit iPHUC and try again.

Now we need to retrieve two files from the iPhone. Later, we'll see what these are for.

In the Terminal, enter
getfile /System/Library/LaunchDaemons/com.apple.update.plist com.apple.update.plist.original
and press return. iPHUC should respond with:

remote: /System/Library/LaunchDaemons/com.apple.update.plist
local: com.apple.update.plist.original
AFCFileRefOpen: opening remote path '/System/Library/LaunchDaemons/com.apple.update.plist'
AFCFileRefRead: reading 489 bytes into buffer
getfile: Writing file to local path 'com.apple.update.plist.original'
getfile: Transfer successful.

If you look in your iPhone Hacking Kit folder on your Mac, you should see a new file called com.apple.update.plist.original. This is a copy of a preference file that we just pulled off of the iPhone and renamed.

Now enter getfile /usr/sbin/update update.original and press return.

Again, you should see the Transfer successful message, and another file will appear in your iPhone Hacking Kit folder. This time, we grabbed the update daemon from the iPhone. This is a small application that gets executed when the phone boots. We renamed the daemon update.original when we saved it to the local drive. The reason for all this will become clear shortly.

Now it's time to put Dropbear, our SSH tool onto the iPhone. Issue the following commands. After each one you should see "Transfer successful". If you don't, then double-check your typing and try again. You'll need to replace [username] with your user name.

Next, enter mkdir /etc/dropbear

This creates a directory called dropbear in the /etc directory.

Using the Putfile command, you'll need to move several files from your iPhone Hacking Kit onto the iPhone. You'll do this by typing putfile and pressing space, then dragging and dropping the file from the finder onto a Terminal window, then typing a space, then typing the path of the destination directory.

For example, for the first entry the end result would be:

putfile /[path to hacking kit]/sh /bin/sh

File to Drop Destination to type
sh /bin/sh
chmod /bin/chmod
dropbear /usr/bin/dropbear
au.asn.ucc.matt.dropbear.plist /System/Library/LaunchDaemons
dropbear_rsa_host_key /etc/dropbear
dropbear_dss_host_key /etc/dropbear
chmod /usr/sbin/update
com.apple.update.plist.hacked /System/Library/LaunchDaemons/
com.apple.update.plist

We've done several things here. First, we put a copy of a shell application called sh into the /bin directory on the phone. Ultimately, we will need a shell application to be able to communicate with the phone from the Mac terminal, so that's why we're installing it now.

Next, we placed a copy of a program called chmod in the /bin directory. All files in a Unix operating system have permissions attached to them, and chmod is a program that lets us alter permissions. We'll use chmod to make the applications that we install executable.

Next we installed Dropbear in the /usr/bin directory. This is the SSH program that we want the phone to run. After that, we installed a plist with a long name in the /System/Library/LaunchDaemons directory.

We placed two host key files in the /etc/dropbear directory that we made earlier. SSH needs these files to perform its secure, encrypted transfers.

Finally, we placed another copy of chmod in the /usr/sbin directory, but this time we named the resulting file update. As you'll recall, earlier we pulled a copy of update off of the iPhone. We're now writing over the update app that's on the iPhone with a chmod app. You'll see why in a sec. We also installed a plist in the com.apple.update directory.

So, we've copied Dropbear onto the phone, as well as some utility files that it needs, but we've also done something else. Before an application can be run, its permissions must be set to executable, which we can do with the chmod application that we installed. The problem is, how do we get chmod to run on our Dropbear application because right now, we have no way to execute a program.

In the old days of iPhone hacking (that is, the morning of June 30, 2007 at roughly 10ish) you used special tools to pull off an image of the iPhone's contents. Then you manipulated that image on your Mac, installing software and changing permissions, and put the whole thing back on. This was difficult and time-consuming, which is why an enterprising hacker named Nervegas came up with a new trick.

When your iPhone is booted, it automatically runs certain applications called daemons. The update daemon is one of those. As you'll recall, we made a copy of update early on. You've now replaced the update daemon on the phone with a copy of chmod. When you reboot your phone, it will blithely execute update, just as it's supposed to, with no idea that it's actually running chmod. The com.apple.update.plist.hacked file that we installed (but named com.apple.update) contains the parameters necessary for chmod to alter the preferences of our Dropbear application to make it executable.

Once Dropbear has been made executable, it will run any time the phone is powered on. So:

Now turn your phone off, and then turn it back on. Because you're still jailbroken, iTunes will launch and then quit. When the phone is back up and running, turn it off and on again. Again, iTunes will launch and quit. You have now rebooted your phone twice. The first time, our Trojan chmod application modified the permissions of Dropbear. The next time, the now-executable Dropbear should start running, and voila! You'll have an ssh daemon running on your iPhone!

After the phone has rebooted the second time, we need to test to see if ssh is running. Any time you want to SSH into your iPhone, you must know the phone's IP address. On the phone, press Home, then Settings, then Wi-Fi, then look at the details for the network that you're connected to. You'll find the IP address in there.

  1. In the Terminal window, type exit, to quit iPHUC.
  2. Type ssh root@[iPhone's IP address]. For example ssh root@192.168.1.14.

The iPhone should respond with something like:

The authenticity of host '192.168.1.14 (192.168.1.14)' can't be established.
RSA key fingerprint is 5a:e4:fa:de:62:f6:9b:96:7f:3b:57:b1:76:21:77:d6.
Are you sure you want to continue connecting (yes/no)?

Type yes and hit return. When it asks for a password, enter dottie. By default, all iPhones have a password of dottie.

You should see a prompt like this:

-sh-3.2#

Congratulations! You've just installed an ssh client and ssh'd to your iPhone!

  1. Enter ~. To exit ssh. If it continues to display the ssh prompt, try again.

Back to normal

Now we need to restore some things on the phone to normal. As you just learned, to get this all to work, we had to replace the update daemon with chmod. Now we need to put update back where it was.

Launch iPHUC by typing ./iPHUC in the Terminal and then enter these commands (each of them on a single line, despite the fact that on this web page the information breaks over multiple lines):

putfile /Users/[user name]/Desktop/iPhone\ Hacking\ Kit/com.apple.update.plist.original /System/Library/LaunchDaemons/com.apple.update.plist

putfile /Users/[user name]/Desktop/iPhone\ Hacking\ Kit/update.original /usr/sbin/update

Those two commands restore the update daemon.

Your phone now has an ssh client on it, and a password known by anyone who's reading this article (as well as a bunch of really talented hackers). The odds of someone looking for an iPhone to hack in a public place are small, but if you really want to be secure, you can change your password.

To change the password of your phone:

  1. In the Terminal, exit iPHUC by typing exit.
  2. At the prompt, enter perl-e 'print crypt("mypassword","xx");'

Substitute your desired password for mypassword, and enter any two characters in place of XX.

Terminal will display an encrypted version of your password.

  1. In the iPhone Hacking Kit folder, you'll find a file called master.passwd.original. Open this in TextEdit and replace both the mobile and root passwords with the encrypted text.

For example, if you generated the following password in step 2: XXVeA.Z.EZ6FA

Then, in the master.passwd.original file, you would change this:

root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh

to this:

root: XXVeA.Z.EZ6FA:0:0::0:0:System Administrator:/var/root:/bin/sh

and this:

mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh

to this:

mobile: XXVeA.Z.EZ6FA:501:0::0:0:Mobile User:/var/mobile:/bin/sh

  1. Choose File > Save As and save the document back into the iPhone Hacking Kit folder as master.passwd.
  2. Because TextEdit tends to add .txt extensions, select the file, choose File > Get Info, and get rid of the extension.

  3. In the Terminal, launch iPHUC again by typing ./iPHUC.

  4. Put the new password file on your phone with this command: putfile /Users/[username]/Desktop/iPhone\ Hacking\ Kit/master.passwd /etc/master.passwd

Now your phone is almost back to normal. But, we still have some more things to install.

SCP - The racer's edge

So far, we've been using iPHUC to manage all file transfers between the Mac and the iPhone. But we want something that doesn't require a tethered connection, so we're going to install a copy of a program called SCP. This will ensure that we can move files on and off after we've unplugged the iPhone.

Launch iPHUC and issue the following commands, once again using Putfile to move the following files into the following directories in the format

putfile [drop file here] [destination path]

File to drop Destination to type
sftp-server /usr/libexec
scp /usr/bin
libarmfp.dylib /usr/lib/libarmfp.dylib

The SCP and SFTP servers are now installed, but they need to be made executable. As you've learned, we can make a file executable by using the chmod tool. Earlier, we had to trick the iPhone into executing chmod, but now that we have ssh on the phone, we can simply ask the phone to execute chmod.

Enter ssh root@[iPhone's IP address]

When prompted, enter your password, you will then be presented with an ssh prompt: -sh-3.2#

Now the Terminal window is acting as a terminal directly to the iPhone. In other words, any commands we enter will be executed by the phone. Tell the phone to execute chmod to change the permissions of the sftp-server and scp applications.

chmod +x /usr/libexec/sftp-server
chmod +x /usr/bin/scp

Now test SCP by entering scp. You should see something like this:

usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program]
[[user@]host1:]file1 [...] [[user@]host2:]file2

We'll use SCP shortly to install some new applications on the iPhone. But first, we need to do some cleanup.

Go directly to jail

We're just about ready to re-jail the iPhone. This will return it to its normal, sync-ready state, and will mean that you no longer have to tether it.

Before we rejail, though, we're going to move over a few more files. In iPHUC, issue the following commands in the format putfile [drop a file here] [path]

File to drop Path to type
shells /etc
bash /bin
csh /bin
rm /bin
rmdir /bin
ls /bin

We'll fiddle with those files later. For now, on your Mac, return to iFuntastic. We're ready to re-jail the phone.

Before we do, though, notice that iFuntastic allows you to add new ringtones, change the carrier logo, alter the order of icons on your home screen, and browse files. If you want to use any of these features, give them a try.

When you're finished, click the Finish button, and then the Jail button. Then, follow the on-screen instructions. This will put your phone back in jail, closing the communications loophole that we've been exploiting. iPHUC will no longer be able to talk to your phone. But that's okay, because we now have lots of other ways to do that.

After your phone has rebooted, click Done, and then give some thought to donating to the resourceful hackers who made iFuntastic possible. When you've finished, quit iFuntastic and unplug your iPhone from your Mac.

Do something useful

So far, our hacking has been limited to the "because it's there" level of satisfaction. Let's kick it up a notch and install some actual applications. We'll start with a screenshot app written by Erica Sadun. We need to transfer the screenshot app to the phone, which we'll do using the SCP application that we installed earlier.

scp [drop hacking kit screenshot here] root@[iPhone's IP]:/Applications

You'll be prompted for your phone password, and then the transfer should occur. This command sends the file screenshot to the Applications directory of the phone. You can learn more about scp by opening a new Terminal window and entering man scp.

Now we need to make the screenshot app executable.

ssh into your phone (ssh root@[ipaddress]). Because you rebooted your phone, you may want to double-check what IP it ended up with. Enter these commands:

chmod +x /bin/bash
bash

You should now see a bash prompt that looks like this:

bash-3.2#

Bash is a more versatile terminal that allows you to do a few more things.

Enter chmod +x /Applications/screenshot

Screenshot should now be executable. Let's try it. Put your iPhone on a screen that you want to capture. In your Mac's Terminal window, enter /Applications/screenshot. You should see:

About to snap screen.
Your screen shot is located at /tmp/foo_0.png

Your phone has captured a screen and stored it. Now we simply need to retrieve it, which we can do with the scp command. Open a new terminal window and enter:

Enter scp root@[iPhone's IP]:/tmp/foo_0.png /Users/username/Desktop

When prompted, enter your password. The screenshot will be captured to your desktop.

figure3.jpg

(We created a second terminal window to enter the SCP command so that we now have one terminal window that's running SSH, and another that lets us issue SCP commands.)

If you're spending a long time ssh-ing or scp-ing to and from your phone, you might find that the phone falls asleep and kills the Wifi connection. You can make it stay on longer - or indefinitely - by going to Settings > General and then changing the Auto-Lock time.

So far, we've been using the Mac's terminal to control the phone. Let's install a terminal app that we can use on the phone itself.

Enter scp -r [drop Terminal.app from Hacking Kit here] root@[ip address]:/Applications/Terminal.app to transfer the terminal application to the phone. We have to add -r to the scp command because, technically, the Terminal app is a directory.

Now we need to make the app executable. SSH to your phone and then enter:

chmod +x /Applications/Terminal.app

Now restart your phone. Once it's up, you should see a new icon on your home screeen!

figure4.jpg

Press Terminal, and the terminal app will launch. Any commands that you've been issuing through ssh you can now do directly on the phone. For example, let's launch the bash shell. In the iPhone Terminal, enter bash and press return.

figure5.jpg

Just before we put the phone back in jail, we copied some additional commands to the bin directory. Let's make three of them executable. In the iPhone terminal, enter:

chmod +x /bin/rm
chmod +x /bin/rmdir
chmod +x /bin/ls

RM is a remove command that let's us delete files, while rmdir lets us delete directories. LS is the list directory contents command that we used earlier. We'll fiddle with these again later.

Bash is a much better shell than the default shell that the Terminal executes. So, if you find yourself unable to execute certain basic commands in Terminal, then try launching bash.

Let's do a little iPhone customization. Personally, I don't find the Stocks application to be very useful, so let's remove it. Because we might later have some great windfall that would make the Stocks app more handy, we'll back it up first, so that we can always put it back later.

In your Mac's Terminal window, enter the following:

scp -r root@[iphone IP address]:/Applications/Stocks.app /Users/[your user name]/Desktop

This will copy the Stocks program to your Mac desktop. Now enter the following commands (you can do this either via ssh on your Mac, or directly into the Terminal on your phone). Be sure to enter the path exactly as it is shown here, as this command will remove an entire directory, and you don't want to accidentally remove your entire Applications directory:

rmdir -rf /Applications/Stocks.app

Now reboot your phone. When it powers back up, you should find that the Stocks application is gone. If you ever want to put it back, just use SCP to transfer the copy that you saved to your desktop back to your /Applications directory. Then use chmod to make /Stocks.app/Stocks executable. Reboot the phone and it will be right back where it started.

All of this should be enough to get you started. You've got a good assortment of commands and an understanding of how to move things on and off your phone. As more apps are developed you can use SCP to transfer them to your phone, and CHMOD to make them executable.

Note that, with the next update, Apple could wipe out all of your changes. If this happens, you may have to re-hack the whole thing, and this may require an update to the Jailbreak application or to iPHUC. We'll try to keep you posted as these things change, and as new hacks become available.

Labels:




Translate to:

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home

Previous Posts


Visitor