iPhone Researchers Gain a Shell

SkiifGeek writes "A team of researchers dedicated to finding means to fully control and interact with the new Apple iPhone claim to have successfully gained an interactive shell on the device. In order to achieve this feat physical access to the phone is required, as it relies on some minor electronics to be created and connected to the phone's serial port. It is believed that general control over the iPhone will be available to the enterprising researchers within a week (after all, it has only just been a week since the iPhone was released), with the promise of enough control to allow for self-propagating code not very far away."

Turtle Power!

iPhone Researchers Gain a Shell

So ... they're now more turtle-like? Or becoming hardened from low blow attacks about prices?

And calling them 'researchers?' Oh, come on. 'Hacker' is an appropriate term, just ask Paul Graham [paulgraham.com].

Re:Turtle Power!

The difference between a "researcher" and a "hacker" is that a "researcher" works in a nice shiny office building or school campus, while a "hacker" works at home or his mom's basement.

Seriously, if blogs mean anybody can become a journalist, if open source means anybody can write code used in mission critical systems, I think it's only fair that any random curious person can be a "researcher".

Looks more like a boot loader to me

The list of commands given make it sound more like a boot loader than a shell.

But that's what you WANT.

The list of commands given make it sound more like a boot loader than a shell.

Yep. Sounds like a bootstrapping and image management firmware. (A pretty capable one, though. Not some minimalist system launcher.)

But isn't that what you WANT if you're trying to establish control of your machine? Why live within the old image's limitations if you can replace it?

Meanwhile this has lots of debugging and control tools suitable for tweaking and reverse-engineering the running image And that command list sure looks like it will let you load and launch a debugging tool that's more capable and give that tool even more control of the running system than is built into this firmware.

This machine is about to be opened, whether Apple likes it or not.

(I wouldn't be surprised if - at some level within the company - they really wanted it to be opened and only launched it in closed form so they could write contracts with networking companies and obtain FCC type approval. Plausible deniability at work.)

Re:Looks more like a boot loader to me

Check out the iPhone Dev Wiki here [fiveforty.net]. As of 10:15 PM (July 6th) they are here [fiveforty.net]:

* A serial console is now working to the device. It requires a 6.8k resistor from pin 21 to ground, and tie pin 11 (sergnd) to the real ground. You can use iPhoneInterface to send some commands in recovery mode (setenv debug-uarts 1, saveenv, and reboot), and then you'll be in the boot loader.

        * Some of us believe that the boot loader is the key to really unlocking the radio but we have several other approaches a serial console has enabled us to test. A few of us have been hard at work on some proof of concept code for these pieces, and we will release them as available.

        * We know exactly how to unlock the radio right now. The problem is, getting the commands to the radio has proved more difficult than we anticipated. We have a couple of different potential vectors:
                    o The boot loader's memory display and writing commands, or the ability to send commands to the radio directly using 'radio send'. Many of these commands report permission denied. We are interested in getting around this.
                    o bbupdater and imeisv can do interesting things with the radio. We are trying to get to the point where we can run these commands and get output back.

        * We have made some really good progress getting third party apps to run on the phone. More information on this will be available soon.

I don't get it

There are thousands of phones out there - why concentrate such incredible efforts on the iPhone specifically? Don't the other phones out there need to... uhmmm...

Oh, ok, the other phones have API and aren't locked to AT&T.

I get it now.

Re:I don't get it

Last I checked, Palm OS, Windows Mobile, and Symbian all have native APIs with SDKs you can download along with thriving third-party software support. No cracking required! You can run real applications that work without an internet connection and write your applications in languages other than JavaScript.

There may be signing requirements that (at least in the case of Windows Mobile) can be bypassed by disabling signature checks on executables or (a much better solution IMO) adding your own certificate to the list of trusted certificates and signing.

And standard "dumb" phones in the GSM world along with Blackberries have Java 2 ME, which has SDKs you can download to write applications that are downloaded to and run on the device... they can often interface things like sound, Bluetooth, etc., making GPS applications possible.

No hacking required! No funky way to get a serial connection required! Just at least one way to get applications on the phone (which includes over-the-air via the Internet and USB -- sometimes even Bluetooth).

Re:I don't get it

I have a hard time believing any phone sold 22 million in 3 months. Maybe over the lifetime of the phone. Lets ask google what it thinks.

http://www.nokiaphoneblog.com/2007/04/news_sony_er icssons_earnings_r.html [nokiaphoneblog.com]

That says 21.8 million units in that time period. After some more quick googling, it seems that they have a line consisting of 57 models. Thus, an average of 382k phones per model over that three month period. So, from your statement that the iPhone has sold 500k phones since it was released a week ago, I would say that Apple is having a pretty successful launch.

It's the iShell

As in iShelled out a lot of cash for this phone. Am I nuts?!

These guys are total wusses!

I just got back from seeing Live Free or Die Hard. That Mac Guy from the advertisements can hack into the electric grid of the entire eastern United States in a matter of minutes (all while distracted by that sexy new Japanese camera model that speaks his language, hajimemashite, say no more, say no more), using nothing but a little rollup USB keyboard and a stolen Verizon mobile. What the hell is taking YOU guys so long to hack into this iPhone thing? Think Different! ;)

Re:That's quite a jump

Given the command list provided, it may hold some promise. The fact that it has tftp and the ability to boot from a specified kernel image (hard-coded name though) opens up the possibility of uploading and booting from a custom kernel (if the shell in question has write perms to /kernelcache anyway, no indication that it does). It also can write to memory, which is intriguing as well. It can also do exciting things like adjust core voltage, so maybe you could use this to fry your iPhone. If, you know, that's what you're into.

Not surprising, really.

tftp is common in many embedded devices... during development, it's where the test OS images come from. During production, it's often how updated images and patches can be called from the computer (or in the iPhone's case, downloaded). the early days of Familiar Linux (which ran on an iPaq) used PPP simulated over a serial line to shovel image files to the PDA.

It can be usefu on its ownl, but to be really useful, you use it to call down a modified image which has a more versatile shell (ash comes to mind, and I know that has a BSD and prolly a Darwin port...)

/P

Re:That's quite a jump

That's not a shell, it's a boot prompt with some firmware commands - the non-PC equivalent of a BIOS setup screen. Calling that a shell is like calling the BIOS setup screen Windows. Granted, it's a start, because it may allow you to load and boot alternative kernels, but "shell" implies a command shell around an OS. All they appear to have done is completely broken the iPhone so that it won't boot; the machine is falling back to its ROM prompt in the hopes that someone can manually tell it how to boot.

Re:command list (mirror)

It looks a lot like an old forth/open firmware prompt, kind of like on PowerMacs. On PowerMacs you could get a list like this when you booted while holding down some magic keys. You could even open a remote session on your open firmware if you set a server running on the target machine (this required physical access to the target machine at boot time).

If this is really what it looks like, then it's really low-level access to the hardware. OTOH, it requires physical access to the iPhone, and once you got the thing up the bootloader is likely to blow away most of the low-level environment. The real crown jewels would be decryption of the binaries on the phone, plus breaking the various validations and checksums the iphone's doing before it runs, so yous could patch them to do your evil, but that's a bigger hack.

Re:command list (mirror)

Actually, it's been reported that the iPhone doesn't require signed binaries. You can swap and modify them at will.

There's a restore image, and they have managed to decrypt, extract, and modify said image before sending it to the phone. The executables aren't encrypted or signed on the device; however, the restore image has a password. They have the password.

Re:command list (mirror)

I hope that this is true. I am really itching to write apps for the iPhone. The interface makes it an interesting device. The problem that most people have when reviewing it is that they have to compare it to already known devices. Yes, the keyboard won't be as good as a real hardware for typing speed. However, it does open the possibilities of things previously not possible, such as modifiable keyboard (except for that vapor-ware one with the OLED keys). Additionally, the Jeff Han video has shown some other cool possibilities (beyond the stretch thing that is currently used .. which is cool, but doesn't mean more isn't possible).

It's interesting to see how Apple has so far managed security. Unlike other companies, at least so far, they don't seem set on complete lock down. For example, so far they seem only to use the Trusted Computing to make their OS run on Apple hardware only. They could be a lot more evil with it. Even the DRM on their music. While the change it up occasionally, they at least haven't made a lot of sound about PlayFair.

As for the iPhone, it might be a matter that they're fine with people hacking it, as long as they don't have to be held responsible for it. That is, if your iPhone starts crashing, it's because you put programs on it that you weren't supposed to. Doing so also allows them to watch what other people are doing with the HW (free R&D). It's somewhat similar to what the did with Bootcamp. They didn't actively stop people from getting Windows booting on the Intel computers, but they also didn't help.

I guess the two telling signs of this will be if: (a) Apple patches this with their next update (an update coming real soon?), and (b) if they force signed binaries to run on the iPhone.

Re:command list (mirror)

I believe Gruber was misinformed on the issue (first time that ever happened, surely.) My Intel Macbook and Intel Mac Pro do not have a TPM:

$ ioreg | grep tpm

$ ioreg | grep TPM

$ ioreg | grep infineon

I'm not just taking ioreg's word for it, at least in the case of the Mac Pro. I've opened it and can't find an infineon or any other unaccounted-for LPC IC.

Just because it's hard for J. Random Cracker to get an OS running on a hardware platform it's not supported on, without the source code. doesn't mean someone's lying. Further, the teardowns of the iPhone available on the internet include no mention of a trusted platform module, which is a physical artifact, not an "implementation."

(Let us not forget of course, the presence of the Dont_Steal_Mac_OS_X device, whose manifestation and theory of operation remain shrouded in mystery ;P)

Re:command list (mirror)

Don't forget the essentials:
IDSPISPOPD - no clipping (walk through walls with iPhone)
IDBEHOLDS - Berserker! With iPhone!
IDDQD - God/Steve Jobs mode (not just a seafood restaurant, but a reservation at that restaurant)

Re:HAHA

Imagine if Apple tried to copy the Xbox like they copied the Microsoft's smart phones. Their Apple hardware would be ripped off! Idiots.

You mean like how IBM's opening of the PC just as Apple closed theirs (with Lisa and the initial Mac)? And laughed all the way to the bank as the PC took over the world - with IBM selling "true blue" desktop hardware into the business market for years while the clones became the standard for home users.

Yeah, what Idiots. B-)

Re:HAHA

IBM didn't open the IBM PC, Compaq did. That is well known. It's Compaq's one and only claim to fame, and the reason their name is a play on "compatible."

The IBM PC came out in 1982 and competed with the Apple II throughout the 80's. That was Apple's business machine. The Apple II had more slots than IBM PC and years of hardware hacking documentation behind it, as well as color display, and Woz' encouragement. If the battle was openness then Apple II would win. Instead what happened was the 98% of businesses that had IBM Selectric typewriters bought IBM PC's.

As for the Mac, it sold really well to an entirely different market because it was the only computer with graphics, typography, laser printer. In 1984 you did typesetting the same way it was done in 1884, but by 1988 you were using a Mac. The IBM PC and the Mac simply did not compete with each other.

Re:"self-propagating code"

Self-propagating always means 'bad'.

...said the life-form.

Re:"self-propagating code"

A life form that didn't self-propagate. I'm pretty sure he had parents. If self-propagation were possible, I'd have about 180 billion children by now.

Re:Developing for the mobile market...

Not trying to flame here, but it never ceases to amaze me that people will just assume that Apple is completely short-sighted. There are billions of dollars at stake, and Apple has been working on this device for years. Do you really think that they haven't considered this carefully? That there is some "classic tale" that somehow people at Apple are too blind to see?

Apple has learned many lessons, and many of them are much more relevant to the success of the iPhone than the decision in the early days of the Mac to not license the operating system. They have learned that you don't necessarily need the most apps, you need great apps. The iPhone, one way or another, will have great apps. From the iPod, they have learned that keeping full control over the device enables them to move more nimbly, unlike the cumbersome PlaysFor{not}Sure system developed by Microsoft.

Windows Mobile is already out there and has been out there for years. Yet, the iPhone can come along and make an immediate, serious impact on the market. Apple knows what it is doing, and they will do with the iPhone what they need to do to keep it competitive.

Re:Developing for the mobile market...

> It's the classic tale that Apple seems to have not yet learnt, the only way to gain long term success in a market
> is to allow 3rd parties to develop under your platform and support you.

You are making the mistake of thinking "3rd party development == C coders."

The iPod has millions of third-party developers. They make music and movies. For example, Disney/Pixar, Dixie Chicks, Eminem, 20th Century Fox.

The iPhone has millions of third-party developers. They make Web apps. For example, YouTube, Flickr, eBay, MySpace, Facebook, Twitter.

An hour into your iPhone ownership you probably have the work of hundreds if not thousands of third-parties on your iPhone. Throughout an iPhone's two year life span (both the hardware and service contract are $X/month for 24 months) a typical user will probably have 1000x the third-party data in their iPhone than if they were using another phone. The iPhone has so much more storage, syncs so much more easily with your music and movies, and has a real Web browser and Wi-Fi so you can chew up a lot of Web over two years.

So if your standard for greatness is third-parties then you have predicted iPhone's impending world domination.

So how do I write an input method as a web applet?

You are making the mistake of thinking "3rd party development == C coders."

No, I'm making the mistake of thinking "applications" == "things that run on the phone".

Web applets? I've used them on my Palm and Pocket PC, years before the iPhone was a twinkle in Steve's eye. Every device has these... they *also* run software on the device itself, so you can use them with the battery-eating radio shut down.

One of the most popular classes of applications on the Palm, for example, are input methods. You want something faster than their predictive keyboard? Sorry, you're out of luck. You want an eBook reader that doesn't require you to be online the whole time you're reading? Uh-uh, you don't get that. An aplication I use all the time is a shopping list app... that I couldn't use on the iPhone even if it was available as a web applet because there's a big fat dead area near the back of my neighborhood supermarket.

This doesn't mean that it won't be a popular device. A lot of people seem happy with fancy dumb phones, but claiming that this is in any way comparable to the ability to run real native applications, or that being able to run web applets is some kind of unique feature of the iPhone, is just daft. That's something the competition has been doing for almost a decade now, and unless the people writing the applets are particularly stupid they're almost all going to work on any handheld. Certainly the only ones I've found that are iPhone-only are ones that explicitly check to see if they're running on one.