Results 1 to 3 of 3

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: 1.1.1: Where are we at?

  1. #1
    Lightbulb 1.1.1: Where are we at?
    I've been cruising these forums for days now. What is the scene doing with the 1.1.1 issue? Are we just going to roll over and take it?

    Here are my ideas (I hope to start on them monday):

    When the restore process "extracts" the restore image, where are those extracted files? %TEMP%\ ? The restore image is a zip file, so does "extracting" simply mean it's unzipping the .dmg files out of the zip? Done iTunes then read and then decrypt read each file from the dmg one at a time?and shoot it over the now encrypted link? Does each file in the dmg have a crc/md5/whatever check or is the check more of an overall-dmg integrty check? which probably checks for a signature? Once a file is decrypted and in memory, wouldn't it be possible to change the file to be sent (via WriteProcessMemory?) Doesnt iTunes use a dll for transfering files? Wouldnt injecting yourself into the itunes proccess and hooking those dll calls give you the opportunity to catch files as they go by and inject your own files? Calc becomes installer and poof, pwnt.

    1.1.1 is an act of war in my opinion - time to suit up.

    (sorry for the iTypos)

  2. #2
    This thread is a wee bit old. I know where 1.1.1 stands (everyone is rolling back to 1.0.2).

    I thought I'd post my findings anyway.

    AFCFileRefOpen( path: /iTunes_Control/iTunes/iTunesPrefs mode: 2 )
    AFCFileRefOpen( path: /iTunes_Control/iTunes/iTunesLock mode: 3 )
    AFCFileRefOpen( path: /iTunes_Control/iTunes/iTunesControl mode: 2 )
    AFCFileRefOpen( path: /iTunes_Control/iTunes/iTunesPrefs mode: 2 )
    AFCFileRefOpen( path: /iTunes_Control/iTunes/iTunesDB mode: 2 )
    AFCFileRefOpen( path: /iTunes_Control/iTunes/iTunesPrefs mode: 3 )
    AFCFileRefOpen( path: /iTunes_Control/iTunes/iTunesPrefs mode: 2 )
    AFCFileRefOpen( path: /com.apple.itunes.lock_sync mode: 2 )
    AFCFileRefOpen( path: /com.apple.itunes.syncing mode: 3 )
    AFCFileRefOpen( path: /iTunes_Control/iTunes/iTunesPrefs mode: 2 )
    This stuff seems to happen when iTunes does a normal sync. I ran my hooks during a couple of restore sessions (restoring from 1.1.1 to 1.1.1) and the functions I'm hooking don't get any action.

    This suggests to me that this new restore mode is like a disk duplicate command (dd isn't it?) where iTunes pulls up the encrypted .dmg, decrypts it on the fly and then blindly chunks in buffer load after buffer load of the disk image onto the phone's system partition.

    The interesting thing to me is that this new flangled way of rolling back to 1.0.2 involves holding buttons on the phone in specific sequence that obviously puts the phone in recovery mode outside of iTunes. Then, when it's in recovery mode, iTunes cannot grab the version information from the phone so it blindly starts loading whatever recovery image you feed it (I expect that will be the next fix). Apparently, it's even backward compatible with the previous encoding scheme from 1.0.x.

    Getting to the point, the only way I see 1.1.1 getting modded is if someone can extract the files out of the .dmg. Once that's done, the modded files (ssh, bin-kit, whatever) could be merged into the new files, a newly encoded dmg could be made (1.0.x encoding would be fine), the phone could then be manually put into recovery mode and iTunes used to load the modded image back onto the phone.

    Anyway, just one guy's ramblings... ( wish I could get on stinkin' IRC at work without IT busting my chops =/ )

  3. #3
    Well how do we decrypt the .dmg once thats done then jailbreak should be easy

    it extracts the firmware to the hard drive but where my HD space drops as itunes "extracting software" is running
    Last edited by freshfitz; 2007-10-02 at 04:34 AM. Reason: Automerged Doublepost

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •