Wednesday, July 1, 2009

Let's get started and ha let's get it started in here!

Sorry for the cheesy title :P but we have more progress :)

ok first off We have patched iBoot ibec ibss the devicetree with ECID and now (as to allow a jailbreak) I applyed the RSA signatures (used for getting signed :P) and also some permissions. The RSA sigs and permissions are in iBoot only but the ECID is inside all those

shall we?
Let's get it jailbroken and ha... :D


Blogger lost said...

keep up the good work! Im getting excited.... lol

July 1, 2009 at 10:08 AM  
Blogger DBDtheAbyss said...

Ha were far from complete but were making good progress :)

July 1, 2009 at 10:10 AM  
Blogger CeK! said...

That does sound like U'r making very fast progress (allthough a lot of work as I can "read")...exciting!!! :)

July 1, 2009 at 10:46 AM  
Blogger DBDtheAbyss said...

Ha yeah

July 1, 2009 at 10:47 AM  
Blogger Nikos said...

Hey guys i love ur work u make a good job!
I read every comment om geohotz blog and im very interessed to leard how to hack or how to do this work!

I wish u good luck for ur progress of the iphone jailbreak!

Sorry for my bad english!

Greez from germany!

July 1, 2009 at 10:56 AM  
Blogger Brad said...

I have a 3gs I'll start working on the user application for us. Can you email me what you have so far and I'll load it with irecovery.

July 1, 2009 at 11:04 AM  
Blogger Nikos said...

I dont have any knowledge about that but if anyone need some help that i can do please tell me! My e-mail is :

July 1, 2009 at 11:09 AM  
Blogger Alain said...

congrats for your work !

I follow every post on geohot's blog since the beginning and I wish you good luck to goes on further !
If could help I'ld do but I'm quite new in Apple's world.
I am a rom cooker for HTC HD, and I come here since a few weeks !

I'll follow you all !

July 1, 2009 at 11:11 AM  
Blogger Brad said...

Alain > your skills could be used here I would think. You should read over the iphonewiki that geo hotz has contributed to.

July 1, 2009 at 11:24 AM  
Blogger Alain said...

Thanks Brad,

You can see my work on this French web page:
I'm Alain18 on this blog, and I cooked for HTC HD.

I'll read the wiki and try to help.
If you need beta tester's I'll be in for sure, cause I'm not afraid in flashing my device !

July 1, 2009 at 11:27 AM  
Blogger Dmacpro91 said...

I get off work in 6hrs then I'm up all night with you all getting the rest of this figured out.

July 1, 2009 at 12:00 PM  
Blogger Dmacpro91 said...

Amazing progress though guys.
can you email me the files so I can catch back up to you all. Thanks.

July 1, 2009 at 12:01 PM  
Blogger William said...

Been following your progress and am very excited about it.

I'd be interested in Beta Testing as well when the time comes.

July 1, 2009 at 12:05 PM  
Blogger Arthur said...

Alright guys i am back..So i see u guys making progress.
Because you already made permision and rsa sigcheck patches can you patch it with my ECID to and send me to e-mail...

July 1, 2009 at 12:09 PM  
Blogger floyd25 said...


did you open that private irc or chat?


July 1, 2009 at 12:23 PM  
Blogger rand0mher0 said...

Been following you guys on geohot blog and now here. Keep up the good work guys. Snowy owl and purplera1n for the win!!

July 1, 2009 at 12:29 PM  
Blogger Arthur said...

Yeah i will get it up...

July 1, 2009 at 12:33 PM  
Blogger Maximilian said...

It is indeed interessting to follow all the blogs. One product, which is basically a smartphone, can move hundrets and thousands of people just for a jailbreak which is kind of a feature. Interessting. I really love apple (exept network products.. guys..) :)

July 1, 2009 at 12:58 PM  
Blogger Arthur said...

ok irc is up...uses yesterdays password..
chanel #udev

July 1, 2009 at 1:20 PM  
Anonymous Anonymous said...

Question: Won't your work be a waste once 3.1 comes out soon?

July 1, 2009 at 1:35 PM  
Blogger floyd25 said...

Arthur, would you give me the pwd ? please

July 1, 2009 at 1:47 PM  
Blogger Arthur said...

So if you are wondering guys, I am working right now on creating custom DMG file with cydia included. So when Derek, DBDTheAbyss and DMacro91 will be back we can test out what we have right now

July 1, 2009 at 1:47 PM  
Blogger the chef said...

you da man arthur .I'm working on a clubhouse sandwich. ;]

July 1, 2009 at 1:54 PM  
Blogger hatton920 said...

Good job guys, keep it going.

Watching with interest.

July 1, 2009 at 1:55 PM  
Blogger Dheeraj said...

setting up a twitterfeed would be great. like many people, i'm following geohot, chronicdev, devteam. would love to follow your blog on twitter.

July 1, 2009 at 1:55 PM  
Blogger Dmacpro91 said...

Only 4 more hours then work is over and then it's JAILBREAK JAILBREAK JAILBREAK for the next 10 hours!!!
What is the password to the irc. I can get on it as soon as i get home.
email is

July 1, 2009 at 2:11 PM  
Blogger gully666 said...

I followed over from geohots blog keep up the good work.


July 1, 2009 at 2:16 PM  
Blogger Brian said...

This comment has been removed by the author.

July 1, 2009 at 2:17 PM  
Blogger Brian said...

Thank you guys for taking a wack at this! Nice to have a little competition, and you guys definitely seem to be on the right path.


I would love to beta test. I was involved with some beta testing with 2.1, and I do have a pretty extensive background with technology.!!!

July 1, 2009 at 2:18 PM  
Blogger Arthur said...

For guys who are developing...we need to set up irc so that it doesnt go down when somebody goes offline or switches OS....any suggestions?

July 1, 2009 at 2:21 PM  
Blogger Arthur said...

Ok small update, I implemented the whole customization of 3G dmg file inside 3GS dmg file.. know I am waiting for patches to actually upload this to the phone

July 1, 2009 at 2:32 PM  
Blogger XxDobermanxX said...

Go go UDev!

July 1, 2009 at 2:35 PM  
Blogger Arthur said...

So what we have in custom dmg?

Its all original files + cydia package (also some other files and patches from 3G)

Also root partition now should be 700mb, so yo will have around 90mb extra for themes and cydia apps

July 1, 2009 at 2:39 PM  
Blogger floyd25 said...

Did somebody try to patch iBBS with the ECID and load it with iRecovery into the phone? I wonder if it would still say invalid image...

July 1, 2009 at 2:41 PM  
Blogger Arthur said...

1st off all even orginal iBoot and iBSS do invalid image
reason - you have to be in DFU

July 1, 2009 at 2:44 PM  
Blogger ashley said...

dmacpro, i sent u an email

July 1, 2009 at 2:46 PM  
Blogger floyd25 said...

Arthur how would you send a file to the phone in dfu then? Seems like I'm missing something important :)

July 1, 2009 at 2:49 PM  
Blogger fiya said...

-f filename

July 1, 2009 at 2:51 PM  
Blogger floyd25 said...

using what tool?

July 1, 2009 at 2:52 PM  
Blogger Simone said...

@floyd25 I think you put the iphone in DFU and then (via irecovery) send the iBoot/iBSS. Nothing that is so difficult.

July 1, 2009 at 2:52 PM  
Blogger floyd25 said...

iRecovery only works when the phone is in recovery mode (itunes Logo). The DFU-Mode does not display anything on the phone and when you start iRecovery it only prints out that no phone in recovery mode is found. Seems pretty obvious :)

Tried to use dfu-util from the xpwn package but the util would stop working because the phone returned an error after sending.

July 1, 2009 at 2:54 PM  
Blogger Arthur said...

i use fine...its just you need file signed with ECID and Apple certificate...

IMPORTANT! I have checked iBoot from 3.1 and 3.0 (compared)
looks like APple did change it (dont know for sure yet if exploit is gone)

July 1, 2009 at 2:58 PM  
Blogger floyd25 said...

I was reading about the "HSHS" point in the Files where whe should patch the ECID into. I could do that, but how would one patch the cert into the files? Dont really know at what position or after which hex I should insert it.

July 1, 2009 at 3:00 PM  
Blogger DBDtheAbyss said...

hey guys... good job arthur i can see your working hard

July 1, 2009 at 3:00 PM  
Blogger Simone said...

iRecovery with ipdtcg 2g works both on Recovery and DFU (from iphonewiki: "It currently connects to [...] 0x1227: [...]iPod touch 2G: DFU Mode").

So with itouch2g it works, BUT i don't know for the 3gs. For the dfu-util error from xpw, i don't know too. But i read time ago that currently xpwn doesn't work very well with 3.x and dev team is going to release a new version.

July 1, 2009 at 3:02 PM  
Blogger Arthur said...

@DBDTheAbyss i create chat?

July 1, 2009 at 3:02 PM  
Blogger Arthur said...

or maybe a bit faster to use MSN?
Like it would be simpler to send file...u already know mine.. same as e-mail

July 1, 2009 at 3:04 PM  
Blogger fiya said...

@Simone/floyd25, it worked for me. Try using the older version of redsn0w. I'll check the version when I'm home.

July 1, 2009 at 3:05 PM  
Blogger Simone said...

Here it's two o'clock in the night. Good night [to] everyone (i don't know if it's "to everyone" or "everyone").

July 1, 2009 at 3:05 PM  
Blogger Arthur said...


Also were you succesfull to patch iBoot for rsa sigchecks?
And permissions and etc? i have my new iBoot with my ECID
i can send you it so you can patch it for exploit

July 1, 2009 at 3:09 PM  
Blogger floyd25 said...

Simone, thx for the info. I'll try again though I still don't know how to patch the ECID and the cert into those files.

July 1, 2009 at 3:09 PM  
Blogger Denio said...

Hey I made you guys a logo, I still have the PSD so if you want any changes made just ask

You don't have to use it if you don't want, I just made it to show my support and boredom :P

July 1, 2009 at 3:11 PM  
Blogger ashley said...

looks cool denio :)

July 1, 2009 at 3:18 PM  
Blogger Arthur said...

Can you send me patched iBoot? i will add my ECID myself
Also did you get iBSS and iBoot signed with Apple Certificate?

July 1, 2009 at 3:21 PM  
Blogger InhexSTER said...

By the way change my account display name..
@DBDtheAbyss please change Team members (Arthur to InhexSTER)

July 1, 2009 at 3:42 PM  
Blogger InhexSTER said...

So also i figured out that when you restore signed files save in /tmp on Mac, looks like no need for purpera1n :)

July 1, 2009 at 3:50 PM  
Blogger InhexSTER said...

So basically it will be all the img3 signed with ur need for patching...NICE!

July 1, 2009 at 3:54 PM  
Blogger DBDtheAbyss said...

back again.. sorry for popping around...

July 1, 2009 at 4:10 PM  
Blogger DBDtheAbyss said...

ok i have the rsa sigs tags and permissions written to iBoot :)

July 1, 2009 at 4:20 PM  
Blogger InhexSTER said...

did you read what i looks like apple saves recieved files in tmp whitch already signed. So now all we need is to implement exploit into iBoot

July 1, 2009 at 4:21 PM  
Blogger Josh said...

Hey! Sorry to congest the comments here, but I just wanted to say that I don't really know you guys, but I wish you the best of luck and hope you can bring us a jailbreak shortly and make everyone happy. :] Thanks again!

July 1, 2009 at 4:23 PM  
Blogger InhexSTER said...

@so i will check files i got from that tmp folder (if they work i will send you might i boot for exploit patching)

July 1, 2009 at 4:26 PM  
Blogger DBDtheAbyss said...

yes but you need the rsa stuff for the bootrom from doing anything...if you want help exploiting this ill help :)

July 1, 2009 at 4:27 PM  
Blogger DBDtheAbyss said...

lol chronic thinks im ipodtouchoverlord...

July 1, 2009 at 4:33 PM  
Blogger InhexSTER said...

@DBDTheAbyss sent you iBoot to patch with my ECID in it already

July 1, 2009 at 4:36 PM  
Blogger InhexSTER said...

@DBDTheAbyss Also it doesnt have Apple certificate thing, i dunno if you got it yet? patch for it also

July 1, 2009 at 4:38 PM  
Blogger ashley said...

that post was kind of unnecessary, he was going off, not even really knowing who u are.

rock on guys! :)

July 1, 2009 at 4:41 PM  
Blogger ashley said...

dev team new blog post guys! check it out.

July 1, 2009 at 4:58 PM  
Blogger InhexSTER said...

Knew it before their post

July 1, 2009 at 5:05 PM  
Blogger InhexSTER said...

only file that i am not able to get from there is IBSS it gets deleted to quickly

July 1, 2009 at 5:10 PM  
Blogger InhexSTER said...

@DBDTheAbyss i have created dmg files basing on custom 3G resore. So all the jailbreaking patches and cydia in there...Now i need that iBoot from you so i can try resore :)

July 1, 2009 at 5:15 PM  
Blogger ashley said...

gee thanks :(

July 1, 2009 at 5:25 PM  
Anonymous Anonymous said...

Goog luck guys..... I hope you get crack this cold case!

July 1, 2009 at 5:30 PM  
Anonymous Anonymous said...

can you tell us if ne need to do the 2 restore processes to get the signed iBSS and iBEC Files from /tmp even if we already have our ECID&the purplera1nyday file?
if we "should" have it (easier JBing?) then tell me (us) here how the correct name of these 2 files is, and ill write a small bash script for mac which does the job for you, just in time!

greetz, martin

PS: Wanna help you guys - have a Unibody Macbook and a Windows PC and a lot of coding knowledge so if you want my help ill do so, just contact me -> ;)

July 1, 2009 at 5:51 PM  
Blogger InhexSTER said...

@WHiTY it would be very usefull...
the idea is that there custom.preference.bundle.* folder
were is some hex number
but we have to grab all files from there
but it would be nice so script grabs it every second or even 0.5 seconds
cause the IBSS file is send once (when white screen flashes and apple logo appears) and it s gonne in lesse than a second

July 1, 2009 at 5:55 PM  
Blogger InhexSTER said...

pretty much we need 2 scripts 1 for getting iBSS and probably iBEC... 2nd for getting everything else (which stays there all the restore time)

July 1, 2009 at 5:57 PM  
Anonymous Anonymous said...

yep, i just have a first prototype of the script...its able to get all files which it has to get. i only need to know which files (filenames were useful). in case on every restore process the names are the same there is no need not to type them statically into my script.

so please tell me just the iBSS/iBEC Filenames in /tmp and i can post a first version of the script - i planned it that u have only to start it once via Terminal before starting the restore process, and just kill it until the process ended. and in the meantime it has saved all wanted files to a alternate filename or directory if wanted.

so, please tell me the filenames and ill post the script v.1.0 here ;)

July 1, 2009 at 6:12 PM  
Anonymous Anonymous said...

oh only read your last post....yeah i can manage it to check every 0.1sec (better it is ;)) and itll "backup" all files in the "custom..." directory, right?

July 1, 2009 at 6:13 PM  
Blogger InhexSTER said... basically thats the you start it and it copies whatever in that directory...and if file already exists skips copying it. just copies new files as they arrive..also possible just allow to rewrite previous ones

July 1, 2009 at 6:17 PM  
Blogger InhexSTER said...

the folder name all the times is different...i wil go into mac and check...but it ands all the time on different hex number so you need use start...and just copy the whole folder i guess

July 1, 2009 at 6:20 PM  
Anonymous Anonymous said...

so the directory name you posted above is written correctly? if yep, then ill write the script just to use this directory (if exists) and make a backup of every file in there until you kill the script (which means your Restore has finished)

ok - iam using the dir name above now....can you add me to your team here or so!? maybe a mail or do i have to post the script here in the comments?

July 1, 2009 at 6:23 PM  
Blogger InhexSTER said...

directory name is like that

* means there is hexadecimal random number...but mac can do autofill

July 1, 2009 at 6:26 PM  
Anonymous Anonymous said...

so what..../tmp/PersonalizedRestoreBundle.* or custom.preference.bundle.*?? or both?

July 1, 2009 at 6:32 PM  
Blogger InhexSTER said...

no personalized one

July 1, 2009 at 6:34 PM  
Anonymous Anonymous said...

so the script only needs to check /tmp/custom....dir?

July 1, 2009 at 6:35 PM  
Blogger InhexSTER said...

Need to copy only Personilzed,,,,

July 1, 2009 at 6:36 PM  
Anonymous Anonymous said...

so only this -> /tmp/PersonalizedRestoreBundle.*

July 1, 2009 at 6:38 PM  
Blogger InhexSTER said...


July 1, 2009 at 6:39 PM  
Anonymous Anonymous said...

ok...@coding now...

July 1, 2009 at 6:41 PM  
Anonymous Anonymous said...

ok script is almost done in v.1.0 ;) but cant test it because dont have restore ipsw or something else. but i can send it over - its well documented and written with great care - so there should be NO risk!

July 1, 2009 at 7:06 PM  
Anonymous Anonymous said...

Script done! Cant test because have no ipsw and need my phone, so cannot play with it but i took as much care as you can expect from a people that wrotes a bash script just 4 am in the morning ;)

@InhexSTER tell me where i have to put it so you or anyone else can test it!? (Mail/IRC/?)

July 1, 2009 at 7:20 PM  
Blogger InhexSTER said...

July 1, 2009 at 7:21 PM  
Anonymous Anonymous said...

ok forgot a little routine that tests if the directory exists and THEN copies all files over ;) will write a small tutorial for it too so everyone understand what this script does

July 1, 2009 at 7:28 PM  
Blogger InhexSTER said...

Yeah, it wont be nice if it creates duplicates of haz to replace them if they exist

July 1, 2009 at 7:32 PM  
Anonymous Anonymous said...

@InhexSTER: can i expect that iTunes deletes the Personalized...Directory after restore from tmp-Dir? If yes my script now has COMPLETLY finished and should work as expected now, really ;)

July 1, 2009 at 7:34 PM  
Blogger InhexSTER said...

yes..itunes gets rid off tmp files as soon as its done resroring

July 1, 2009 at 7:40 PM  
Blogger InhexSTER said...

send me it and i will test it right now..

July 1, 2009 at 7:41 PM  
Blogger Dmacpro91 said...

Thanks. Got your email and am working on trying to catch back up to everybody. Thanks again.

July 1, 2009 at 7:44 PM  
Blogger InhexSTER said...

@Dmacpro91..Do you know anything about that DBDTtheDarkAbyss got sig checks and permissions patched?

July 1, 2009 at 7:45 PM  
Blogger Dmacpro91 said...

Use this script to catch all the files you need
open terminal
type: mkdir Pwnage_save
hit enter.
type: "while [ 1 ]; do cp -R /tmp/* /Users/your_username/Pwnage_save/; done" without the quotes.
Let it run until one of the folders has the iBSS.

PS: To see contents of these folders open terminal. Type sudo su. Then cd into each folder and use the"ls" command to view it's contents.

July 1, 2009 at 7:46 PM  
Blogger Dmacpro91 said...

Thats what i'm working on. I had to work late today and go to sleep last night so now i'm stuck trying to play catchup.

July 1, 2009 at 7:47 PM  
Anonymous Anonymous said...

i posted it at pastebin with just a little description - enjoy and post comments or errors per mail to codelab23...googlemail com....Going to bed now...will read it l8er (in 3h about)



July 1, 2009 at 7:49 PM  
Anonymous Anonymous said...

@Dmacpro091: your small "script" or command row isnt very useful - if your tmp folder is gotten huge youre backup up a lot of crap, this takes time use my script (last post above) instead - this should to the job better ;)

July 1, 2009 at 7:52 PM  
Blogger Dmacpro91 said...

True but it does work at least. Once you get the files you need just move them and delete the folder.

Yours is rather refined though i must admit.

July 1, 2009 at 7:56 PM  
Anonymous Anonymous said...

yeah....but it has 2 "bugs" it doesnt use the WAIT variable - only replace both "$SLEEP 1" with "$SLEEP $WAIT" and of course i meant "can" instead of "cant" at howto-point 3. ;)

July 1, 2009 at 8:02 PM  
Anonymous Anonymous said...

yeah i refined mine alot more ;) both of our scripts working - one more efficient than the other - its just a little problem (the /tmp/ readout) i think, everyone can use the "script" of their choice ;)

Going to sleep now - its just 5am here (Dresden, Germany) ;)

July 1, 2009 at 8:04 PM  
Blogger InhexSTER said...

Looks like we have got this way also signed ramdisk dmg

July 1, 2009 at 8:09 PM  
Blogger InhexSTER said...

Also i didnt get IBSS yet..i think i have to do DFU restore for that

July 1, 2009 at 8:10 PM  
Blogger InhexSTER said...

Yeah i was right so, this guys scripts is very good...
Helped a now i have all the files wich are i need to implement exploit in iBoot
Any progress Dmacpro91?

July 1, 2009 at 8:14 PM  
Blogger Dmacpro91 said...

Not yet i cant get any program to patch the iBoot and other"i" files.
Any thoughts? Shouldn't i be able to apply the patches with a standard hex editor?

July 1, 2009 at 8:17 PM  
Blogger InhexSTER said...

yes, the problem is where to apply i tried searching for hex addresses that geo provided there is none like that 0x4FF1..... one for example

July 1, 2009 at 8:20 PM  
Blogger InhexSTER said...

Alright its 1130Pm and i didn sleep well last two nights..i will go get some sleep, if you guys are able to patch it tonight or something send me instructions i will patch mine i will run a test..i have complete custom dmg ready..

July 1, 2009 at 8:24 PM  
Blogger Dmacpro91 said...

Alright. L8r. @InhexSTER Get some good sleep.

July 1, 2009 at 8:30 PM  
Blogger the chef said...

Get som sleep

July 1, 2009 at 8:34 PM  
Blogger DBDtheAbyss said...

I'm alive :D

July 1, 2009 at 10:44 PM  
Blogger DBDtheAbyss said...

I missed all the fun sorry :(

July 1, 2009 at 10:47 PM  
Blogger DBDtheAbyss said...


July 1, 2009 at 10:50 PM  
Blogger floyd25 said...


I don't think that the patch addresses geohot gave us are actually inside a file. I assume that those are memory addresses that we have to patch during boot process. What do you think?

Also, the /tmp - thing for iTunes is pretty interesting though all we get from it are our own personalized, signed files. It doesn't help a thing to include custom Software inside inside the pack.

But WHAT it is good for is to check our patches against the files. For example the ECID and other addresses. We can make a diff from the original files to check if we were right and that's a good thing :) Will do so now.

July 2, 2009 at 12:43 AM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home