iPhone Researchers Gain a Shell

SkiifGeek writes "A team of researchers dedicated to finding means to fully control and interact with the new Apple iPhone claim to have successfully gained an interactive shell on the device. In order to achieve this feat physical access to the phone is required, as it relies on some minor electronics to be created and connected to the phone's serial port. It is believed that general control over the iPhone will be available to the enterprising researchers within a week (after all, it has only just been a week since the iPhone was released), with the promise of enough control to allow for self-propagating code not very far away."

command list (mirror)

[larry bagina]

command list:
        help this list
        script run script at specific address
        go jump directly to address
        bootx boot a kernel cache at specified address
        diags boot into diagnostics (if present)
        tsys boot into tsys (if present)
        bdev block device commands
        image flash image inspection
        fs file system commands
        fsboot try to boot kernel at /kernelcache
        devicetree create a device tree from the specified address
        ramdisk create a ramdisk from the specified address
        tftp tftp via ethernet to/from device
        eload tftp via ethernet from hardcoded install server
        halt halt the system (good for JTAG)
        reboot reboot the device
        poweroff power off the device
        md memory display - 32bit
        mdh memory display - 16bit
        mdb memory display - 8bit
        mw memory write - 32bit
        mwh memory write - 16bit
        mwb memory write - 8bit
        mws memory write - string
        crc POSIX 1003.2 checksum of memory
        task examine system tasks
        printenv print one or all environment variables
        setenv set an environment variable
        clearenv clear all environment variables
        saveenv save current environment to flash
        run use contents of environment var as script
        bgcolor set the display background color
        setpicture set the image on the display
        iic iic read/write
        radio Manipulate the radio board.
        setbusclock Set bus clock to the given frequency in Hz.
        setcorevoltage Set core voltage to the given voltage in mV.
        syscfg flash SysCfg inspection
        charge Manage the charger chip.
        powernvram Access Power NVRAM.
        usb run a USB command
        nand nand flash routines
        chunk chunk a file7/6/2007

Re:That's quite a jump

[eln]

Given the command list provided, it may hold some promise. The fact that it has tftp and the ability to boot from a specified kernel image (hard-coded name though) opens up the possibility of uploading and booting from a custom kernel (if the shell in question has write perms to /kernelcache anyway, no indication that it does). It also can write to memory, which is intriguing as well. It can also do exciting things like adjust core voltage, so maybe you could use this to fry your iPhone. If, you know, that's what you're into.

Re:command list (mirror)

[iluvcapra]

It looks a lot like an old forth/open firmware prompt, kind of like on PowerMacs. On PowerMacs you could get a list like this when you booted while holding down some magic keys. You could even open a remote session on your open firmware if you set a server running on the target machine (this required physical access to the target machine at boot time).

If this is really what it looks like, then it's really low-level access to the hardware. OTOH, it requires physical access to the iPhone, and once you got the thing up the bootloader is likely to blow away most of the low-level environment. The real crown jewels would be decryption of the binaries on the phone, plus breaking the various validations and checksums the iphone's doing before it runs, so yous could patch them to do your evil, but that's a bigger hack.

Smells like Open Firmware

[vrmlguy]

Not that that's a bad thing. Here's Wikipedia:

Open Firmware (also, OpenBoot) is a hardware-independent firmware (computer software which loads the operating system), developed by Mitch Bradley at Sun Microsystems, and used in post-NuBus PowerPC-based Apple Macintosh computers, Sun Microsystems SPARC based workstations and servers, IBM POWER systems, Pegasos systems, and the laptop designed by OLPC among others. It is available under a BSD license. The proposed Power Architecture Platform Reference will also be Open Firmware based. On those computers, Open Firmware fulfills the same tasks as BIOS does on PC computers.

It is accessed, by users, by a Forth-based shell interface. Forth is a powerful high-level language. For example, it is possible to program Open Firmware to solve the Tower of Hanoi problem.

So, can you run your vast collection of bash scripts? Probably not. But Forth is a pretty cool language that's fun to play with.

Not surprising, really.

[Penguinisto]

tftp is common in many embedded devices... during development, it's where the test OS images come from. During production, it's often how updated images and patches can be called from the computer (or in the iPhone's case, downloaded). the early days of Familiar Linux (which ran on an iPaq) used PPP simulated over a serial line to shovel image files to the PDA.

It can be usefu on its ownl, but to be really useful, you use it to call down a modified image which has a more versatile shell (ash comes to mind, and I know that has a BSD and prolly a Darwin port...)

/P

Re:Looks more like a boot loader to me

[garcia]

Check out the iPhone Dev Wiki here [fiveforty.net]. As of 10:15 PM (July 6th) they are here [fiveforty.net]:

* A serial console is now working to the device. It requires a 6.8k resistor from pin 21 to ground, and tie pin 11 (sergnd) to the real ground. You can use iPhoneInterface to send some commands in recovery mode (setenv debug-uarts 1, saveenv, and reboot), and then you'll be in the boot loader.

        * Some of us believe that the boot loader is the key to really unlocking the radio but we have several other approaches a serial console has enabled us to test. A few of us have been hard at work on some proof of concept code for these pieces, and we will release them as available.

        * We know exactly how to unlock the radio right now. The problem is, getting the commands to the radio has proved more difficult than we anticipated. We have a couple of different potential vectors:
                    o The boot loader's memory display and writing commands, or the ability to send commands to the radio directly using 'radio send'. Many of these commands report permission denied. We are interested in getting around this.
                    o bbupdater and imeisv can do interesting things with the radio. We are trying to get to the point where we can run these commands and get output back.

        * We have made some really good progress getting third party apps to run on the phone. More information on this will be available soon.

Re:But that's what you WANT.

[jmorris42]

> I mean, tftp isn't something you launch from a boot loader, is it?

Said by someone who thinks a PC BIOS is a boot loader. New World (iMac forward?) and newer Mac roms can do it, darned near every "workstation" can do it.

Even a lot of $30 routers have boot loaders that can do tftp... once you solder on the headers to get at the serial console port like was done to the iPhone Heck, even a PC's PXE net booting involves DHCP to get an address/etc and then followed by a tftp.

Re:That's quite a jump

[BlueStraggler]

That's not a shell, it's a boot prompt with some firmware commands - the non-PC equivalent of a BIOS setup screen. Calling that a shell is like calling the BIOS setup screen Windows. Granted, it's a start, because it may allow you to load and boot alternative kernels, but "shell" implies a command shell around an OS. All they appear to have done is completely broken the iPhone so that it won't boot; the machine is falling back to its ROM prompt in the hopes that someone can manually tell it how to boot.

Re:I don't get it

[forlornhope]

I have a hard time believing any phone sold 22 million in 3 months. Maybe over the lifetime of the phone. Lets ask google what it thinks.

http://www.nokiaphoneblog.com/2007/04/news_sony_er icssons_earnings_r.html [nokiaphoneblog.com]

That says 21.8 million units in that time period. After some more quick googling, it seems that they have a line consisting of 57 models. Thus, an average of 382k phones per model over that three month period. So, from your statement that the iPhone has sold 500k phones since it was released a week ago, I would say that Apple is having a pretty successful launch.

Re:I don't get it

[Phroggy]

Opera Mobile [opera.com] isn't a real web browser?

Re:I don't get it

[nxtw]

You should check again, specifically for the "thriving" part.

commercial software: Handago [handago.com] Smartphone.net [smartphone.net]
free software: FreewarePPC [freewareppc.com] Freeware Palm [freewarepalm.com]

There are thousands of third-party downloadable applications for PPCs, Smartphones, Palm OS devices, Series 60 devices, etc., etc. Anyone can download an SDK and make their own apps with access to a suite of communication, sound, storage, and animation APIs.
Number of third-party downloadable applications for the iPhone that aren't web applications: zero.

Phone apps look like 1992's ass.

Most phone application developers do not consider "look pretty" a huge priority.

Usually the phones are crippled in some way, so that is not true.

What the fuck are you talking about? My Samsung Blackjack runs any application I throw at it. The default WM Smartphone configuration only runs signed programs: to fix this problem you can either add your own certificate (a matter of going to a URL with the certificate and answering Yes to a few promprts) or plugging in the device and running a program that disables all application locks.
Pocket PC and Palm OS devices do not have signature requirements that I'm aware of.

The iPhone does not have the ability to run arbitrary programs natively at all. Just web apps.

Can I run a real Web browser? No.

Series 60 phones often ship with Opera. Opera & a port of Mozilla called Minimo is available for Windows Mobile.

The phones you're talking about are pocket calculators with phones in them

Every smartphone I have ever used has used some sort of ARM CPU, recent ones often around 400MHz. Compare this to the 620MHz iPhone ARM CPU (WebKit needs all that power to render HTML...)

The iPhone is an iPod with a phone AND a Web 2.0 browser in it. People really like it.

I'm sure people really like it if they want to use Web 2.0 applications and listen to music. But what if they want to do something that isn't possible with the included software and isn't implementable in the iPhone's JavaScript environment?
Last I checked, there were no APIs acessible from JavaScript on the iPhone that allowed access to just about anything. No Bluetooth (so no GPS), no sound, no fancy graphics, no file access -- nothing interesting.

There are other phones that play music and do a better job of surfing the internet for cheaper: often cheap enough that you could still buy an iPod nano if you wanted.

The apps that regular people run are MySpace, YouTube, Flickr, Facebook, eBay, and they want to run the whole app, not just see some snippets of text out of each page with no formatting. So for most users the iPhone is a better application platform than other phones.

Those applications run just as well on other mobile browsers such as Opera Mobile, for those who like to use the full version. Have you not used mobile applications recently? WEP is dead and pages are now written with XHTML. In fact, with stylesheets, the same HTML can be designed for mobile and normal-sized devices.... and even after the iPhone's widely touted support for full-sized webpages, there are lots of people talking about how they can adapt their app to use the iPhone. Hmm....

For those who don't have the luxury of being in an iPhone-friendly wifi environment, not loading advertisements and (relatively) high-res GUI elements and logos can shave a noticeable amount of time off the loading time: on my 3G device, PayPal's mobile site takes 2 seconds to load. The full site takes almost 10 and uses 122k.

Without downloadable app support, you can't download games for your phone -- you're stuck with web apps. A

Re:HAHA

[CryBaby]

It's Compaq's one and only claim to fame, and the reason their name is a play on "compatible."

The Compaq name comes from "compact", not "compatible". Their first product was a portable PC. I was just a kid when it came out, but I recall that the meaning of the company name was "common knowledge" at the time
http://en.wikipedia.org/wiki/Compaq_Portable [wikipedia.org]
http://www.bizwaremagic.com/notebook-computer-hist ory.htm [bizwaremagic.com]

If the battle was openness then Apple II would win. Instead what happened was the 98% of businesses that had IBM Selectric typewriters bought IBM PC's.

Well, the brand name certainly helped, but so did Lotus 123, WordStar, MultiMate, WordPerfect, dBase, etc. At almost any point in the 80's, the most desirable business software was available for the PC and not the Apple II. Obviously, it quickly became a chicken-and-egg situation but software played a critical role in the PC's dominance right from the beginning (not that I'm happy about it).

As for the Mac, it sold really well to an entirely different market because it was the only computer with graphics, typography, laser printer. In 1984 you did typesetting the same way it was done in 1884, but by 1988 you were using a Mac. The IBM PC and the Mac simply did not compete with each other.

hmm... the HP LaserJet was available in 1984 and Ventura Publisher came out in 1986 -- a lot of businesses were definitely using PC's for typesetting from the mid to late eighties. It just wasn't quite as cut and dried as you suggest.

Re:command list (mirror)

[daveschroeder]

Apple does not use TPM in any way on Mac OS X (either at present, or at any time in the past):

http://osxbook.com/book/bonus/chapter10/tpm/#EXECU TIVE_SUMMARY [osxbook.com]

Re:I don't get it

[nxtw]

You live in the US? The land of broken bluetooth, crippled wifi and no ringtones except those bought from the carrier? In that 3rd world country of crippled-by-carrier phones, that is true to some extent.

You been to the US? This only happens on select carriers. FWIW AT&T and/or T-Mobile have the least crippled phones: they're just customized GSM phones like you'll find in the rest of the world.