+ Reply
Results 1 to 18 of 18

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: geohot's thoughts on the new bootloader, 1.1.2 unlock

is a discussion within the

iPhone News

forums, a part of the

General iPhone

section;
geohot, or George Hotz, the guy who unlocked the first iPhone with his infamous hardware method, has posted up his thoughts on the weaknesses and possible exploits (both hardware and
...
  1. #1
    Owner / Founder - ModMyi
    aka poetic_folly
    Kyle Matthews's Avatar
    Join Date
    May 2007
    Location
    Tampa, Florida, United States
    Posts
    8,473
    Thanks
    568
    Thanked 4,797 Times in 1,222 Posts

    Default geohot's thoughts on the new bootloader, 1.1.2 unlock
    geohot, or George Hotz, the guy who unlocked the first iPhone with his infamous hardware method, has posted up his thoughts on the weaknesses and possible exploits (both hardware and software) for the new iPhone boot loader.

    The reason we've been waiting so long to see an unlock solution for OTB 1.1.2 iPhones, if you don't know, is because of the new bootloader that comes with this firmware. Hackers have been plugging away at an unlock solution (big props to drudge, dinopio, roxfan, and the rest of the developers working on this), but they need new iPhone's as well - don't forget to hit up jailbreakme.com and donate to them.

    From geohot:

    Hardware:
    The version check reads from 0xA0021000 and 0xA0021004 to get the version of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004]. If that check fails it ignores the version check. It is also the only bootloader access into high flash. So when A16 goes high, pull any data line high or low. That will cause the check to fail, and hence the version check to be skipped. And they shouldn't be any memory accesses in the bootloader, so it'll be fine.

    Software:
    This exploit is in the the way the secpack signature is padded. They did a lot to remove the really bad signature checking of the old bootloader that IPSF exploited. Although the secpack still has 0x28 bytes of data at the end that isn't checked for normal secpack sigs. The secpack sig is(0x30 header/padding, 0x14 main fw sha, 0x14 secpack sha, 0x28 unchecked padding) So by spoofing the first 0x58 of the RSA, you can set any secpack and main fw sha hash you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the message bytes. I believe with some clever math and brute force, the whole 0x58 can be spoofed. Any cryptology experts out there?
    geohot's blog
    .


    ↑ ↑ ↓ ↓ ← → ← → B A [select] [start] Kyle Matthews

  2. The Following User Says Thank You to Kyle Matthews For This Useful Post:

    wackybit (12-03-2007)

  3. #2
    Livin the iPhone Life yowiphone's Avatar
    Join Date
    Sep 2007
    Posts
    1,582
    Thanks
    63
    Thanked 201 Times in 181 Posts

    Yeah but there is ALWAYS TURBOSIM!!!
    Iphone Love... I dreamed of a iphone before it was out..

  4. #3
    Retired Moderator DoerrFan's Avatar
    Join Date
    Jul 2007
    Location
    Boston
    Posts
    2,291
    Thanks
    143
    Thanked 461 Times in 229 Posts

    Geohot is the man

  5. #4
    What's Jailbreak?
    Join Date
    Sep 2007
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Geohot rocks my pants.

  6. #5
    Green Apple
    Join Date
    Jul 2007
    Posts
    99
    Thanks
    28
    Thanked 7 Times in 5 Posts

    What is turbosim?

  7. #6
    iPhone? More like MyPhone maXimus's Avatar
    Join Date
    Jul 2007
    Location
    1824'N ~ 6605'W
    Posts
    162
    Thanks
    12
    Thanked 20 Times in 15 Posts

    I have a woody!!!!!!!

  8. #7
    Banned
    Join Date
    Sep 2007
    Location
    Atlanta, GA
    Posts
    460
    Thanks
    17
    Thanked 18 Times in 18 Posts

    Quote Originally Posted by maXimus View Post
    I have a woody!!!!!!!
    haha...geohot is the man

  9. #8
    What's Jailbreak? magsbadboy's Avatar
    Join Date
    Nov 2007
    Posts
    11
    Thanks
    7
    Thanked 0 Times in 0 Posts

    Again... THE MAN!
    If they're old enough to cross the street, they're old enough to get banged!

  10. #9
    What's Jailbreak? Dnc95's Avatar
    Join Date
    Oct 2007
    Posts
    21
    Thanks
    1
    Thanked 3 Times in 3 Posts

    I have no idea what this all means but thank you very much for all your hard work and keep it up.

  11. #10
    Green Apple
    Join Date
    Oct 2007
    Posts
    49
    Thanks
    14
    Thanked 4 Times in 4 Posts

    Just grab a turbo sim and be done with it. I've helped 5 mates out with this, and at least for 1.1.2 OTB firmware and the existing jailbreak method, this is the way

  12. #11
    Livin the iPhone Life Eurisko's Avatar
    Join Date
    Aug 2007
    Location
    Toronto, Canada
    Posts
    3,308
    Thanks
    12
    Thanked 562 Times in 483 Posts

    Boy, the TurboSIM kickbacks on this board must be enormous!
    Get "iPod & iTunes for Dummies", it'll change your life.

  13. #12
    What's Jailbreak?
    Join Date
    Dec 2007
    Posts
    28
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by Eurisko View Post
    Boy, the TurboSIM kickbacks on this board must be enormous!
    Yeah...true.
    iPhone 8GB
    Great Music player but can only hold 1000 songs
    Need an iPhone that can hold my >100,000 songs
    I'm still dreaming.

  14. #13
    Green Apple
    Join Date
    Oct 2007
    Posts
    49
    Thanks
    14
    Thanked 4 Times in 4 Posts

    I wish.

    But you tell me how to get an OTB 1.1.2 working with BL 4.6?

  15. #14
    iPhoneaholic ReVan's Avatar
    Join Date
    Oct 2007
    Location
    BOOTLOADER
    Posts
    458
    Thanks
    6
    Thanked 525 Times in 109 Posts

    Post FW 1.1.2 Bootloader v4.6 Exploit *Update*
    An update on the exploits. A16 is a buried via, but it is right at the edge of the chip. Just scrape the epoxy away and hook a wire under there. I'd do it but a lot of my hardware stuff is at RIT. And I didn't say the software exploit would be easy, but this paper alludes to 2/3 of the message being spoofable. 2/3 is 3 bytes away from how much we need, and 3 bytes can be brute forced easily enough. Of course 1/3 is trivial to exploit with a cube root, I understand that math well enough.

    Hardware:
    The version check reads from 0xA0021000 and 0xA0021004 to get the version of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004]. If that check fails it ignores the version check. It is also the only bootloader access into high flash. So when A16 goes high, pull any data line high or low. That will cause the check to fail, and hence the version check to be skipped. And they shouldn't be any memory accesses in the bootloader, so it'll be fine.

    Software:
    This exploit is in the the way the secpack signature is padded. They did a lot to remove the really bad signature checking of the old bootloader that IPSF exploited. Although the secpack still has 0x28 bytes of data at the end that isn't checked for normal secpack sigs. The secpack sig is(0x30 header/padding, 0x14 main fw sha, 0x14 secpack sha, 0x28 unchecked padding) So by spoofing the first 0x58 of the RSA, you can set any secpack and main fw sha hash you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the message bytes. I believe with some clever math and brute force, the whole 0x58 can be spoofed. Any cryptology experts out there?
    Last edited by ReVan; 12-10-2007 at 09:41 PM.

  16. #15
    Livin the iPhone Life Eurisko's Avatar
    Join Date
    Aug 2007
    Location
    Toronto, Canada
    Posts
    3,308
    Thanks
    12
    Thanked 562 Times in 483 Posts

    This is old news
    Get "iPod & iTunes for Dummies", it'll change your life.

  17. The Following User Says Thank You to Eurisko For This Useful Post:

    devilowns (12-10-2007)

  18. #16
    Green Apple
    Join Date
    Dec 2007
    Posts
    64
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Yes, old news my friend.

  19. The Following User Says Thank You to iphonesolutionz For This Useful Post:

    devilowns (12-10-2007)

  20. #17
    Green Apple
    Join Date
    Oct 2007
    Posts
    33
    Thanks
    3
    Thanked 1 Time in 1 Post
    I don't really understand this, I hope is just some kind of news telling us you are closer to an OTB 1.1.2 full unlock. This is taking a whole more time than I expected. Kinda starting to worry.

  21. #18
    Owner / Founder - ModMyi
    aka poetic_folly
    Kyle Matthews's Avatar
    Join Date
    May 2007
    Location
    Tampa, Florida, United States
    Posts
    8,473
    Thanks
    568
    Thanked 4,797 Times in 1,222 Posts

    I'm gonna go ahead and merge this with the other thread of the same subject.
    .


    ↑ ↑ ↓ ↓ ← → ← → B A [select] [start] Kyle Matthews

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts