iPhone Researchers Gain a Shell 242
SkiifGeek writes "A team of researchers dedicated to finding means to fully control and interact with the new Apple iPhone claim to have successfully gained an interactive shell on the device. In order to achieve this feat physical access to the phone is required, as it relies on some minor electronics to be created and connected to the phone's serial port. It is believed that general control over the iPhone will be available to the enterprising researchers within a week (after all, it has only just been a week since the iPhone was released), with the promise of enough control to allow for self-propagating code not very far away."
command list (mirror) (Score:3, Informative)
help this list
script run script at specific address
go jump directly to address
bootx boot a kernel cache at specified address
diags boot into diagnostics (if present)
tsys boot into tsys (if present)
bdev block device commands
image flash image inspection
fs file system commands
fsboot try to boot kernel at
devicetree create a device tree from the specified address
ramdisk create a ramdisk from the specified address
tftp tftp via ethernet to/from device
eload tftp via ethernet from hardcoded install server
halt halt the system (good for JTAG)
reboot reboot the device
poweroff power off the device
md memory display - 32bit
mdh memory display - 16bit
mdb memory display - 8bit
mw memory write - 32bit
mwh memory write - 16bit
mwb memory write - 8bit
mws memory write - string
crc POSIX 1003.2 checksum of memory
task examine system tasks
printenv print one or all environment variables
setenv set an environment variable
clearenv clear all environment variables
saveenv save current environment to flash
run use contents of environment var as script
bgcolor set the display background color
setpicture set the image on the display
iic iic read/write
radio Manipulate the radio board.
setbusclock Set bus clock to the given frequency in Hz.
setcorevoltage Set core voltage to the given voltage in mV.
syscfg flash SysCfg inspection
charge Manage the charger chip.
powernvram Access Power NVRAM.
usb run a USB command
nand nand flash routines
chunk chunk a file7/6/2007
Re:That's quite a jump (Score:5, Informative)
Re:command list (mirror) (Score:5, Informative)
It looks a lot like an old forth/open firmware prompt, kind of like on PowerMacs. On PowerMacs you could get a list like this when you booted while holding down some magic keys. You could even open a remote session on your open firmware if you set a server running on the target machine (this required physical access to the target machine at boot time).
If this is really what it looks like, then it's really low-level access to the hardware. OTOH, it requires physical access to the iPhone, and once you got the thing up the bootloader is likely to blow away most of the low-level environment. The real crown jewels would be decryption of the binaries on the phone, plus breaking the various validations and checksums the iphone's doing before it runs, so yous could patch them to do your evil, but that's a bigger hack.
Smells like Open Firmware (Score:3, Informative)
Not surprising, really. (Score:5, Informative)
It can be usefu on its ownl, but to be really useful, you use it to call down a modified image which has a more versatile shell (ash comes to mind, and I know that has a BSD and prolly a Darwin port...)
Re:Looks more like a boot loader to me (Score:5, Informative)
* A serial console is now working to the device. It requires a 6.8k resistor from pin 21 to ground, and tie pin 11 (sergnd) to the real ground. You can use iPhoneInterface to send some commands in recovery mode (setenv debug-uarts 1, saveenv, and reboot), and then you'll be in the boot loader.
* Some of us believe that the boot loader is the key to really unlocking the radio but we have several other approaches a serial console has enabled us to test. A few of us have been hard at work on some proof of concept code for these pieces, and we will release them as available.
* We know exactly how to unlock the radio right now. The problem is, getting the commands to the radio has proved more difficult than we anticipated. We have a couple of different potential vectors:
o The boot loader's memory display and writing commands, or the ability to send commands to the radio directly using 'radio send'. Many of these commands report permission denied. We are interested in getting around this.
o bbupdater and imeisv can do interesting things with the radio. We are trying to get to the point where we can run these commands and get output back.
* We have made some really good progress getting third party apps to run on the phone. More information on this will be available soon.
Re:But that's what you WANT. (Score:3, Informative)
Said by someone who thinks a PC BIOS is a boot loader. New World (iMac forward?) and newer Mac roms can do it, darned near every "workstation" can do it.
Even a lot of $30 routers have boot loaders that can do tftp... once you solder on the headers to get at the serial console port like was done to the iPhone Heck, even a PC's PXE net booting involves DHCP to get an address/etc and then followed by a tftp.
Re:That's quite a jump (Score:5, Informative)
Re:I don't get it (Score:5, Informative)
http://www.nokiaphoneblog.com/2007/04/news_sony_e
That says 21.8 million units in that time period. After some more quick googling, it seems that they have a line consisting of 57 models. Thus, an average of 382k phones per model over that three month period. So, from your statement that the iPhone has sold 500k phones since it was released a week ago, I would say that Apple is having a pretty successful launch.
Re:I don't get it (Score:3, Informative)
Re:I don't get it (Score:4, Informative)
commercial software: Handago [handago.com] Smartphone.net [smartphone.net]
free software: FreewarePPC [freewareppc.com] Freeware Palm [freewarepalm.com]
There are thousands of third-party downloadable applications for PPCs, Smartphones, Palm OS devices, Series 60 devices, etc., etc. Anyone can download an SDK and make their own apps with access to a suite of communication, sound, storage, and animation APIs.
Number of third-party downloadable applications for the iPhone that aren't web applications: zero.
Most phone application developers do not consider "look pretty" a huge priority.
What the fuck are you talking about? My Samsung Blackjack runs any application I throw at it. The default WM Smartphone configuration only runs signed programs: to fix this problem you can either add your own certificate (a matter of going to a URL with the certificate and answering Yes to a few promprts) or plugging in the device and running a program that disables all application locks.
Pocket PC and Palm OS devices do not have signature requirements that I'm aware of.
The iPhone does not have the ability to run arbitrary programs natively at all. Just web apps.
Series 60 phones often ship with Opera. Opera & a port of Mozilla called Minimo is available for Windows Mobile.
Every smartphone I have ever used has used some sort of ARM CPU, recent ones often around 400MHz. Compare this to the 620MHz iPhone ARM CPU (WebKit needs all that power to render HTML...)
I'm sure people really like it if they want to use Web 2.0 applications and listen to music. But what if they want to do something that isn't possible with the included software and isn't implementable in the iPhone's JavaScript environment?
Last I checked, there were no APIs acessible from JavaScript on the iPhone that allowed access to just about anything. No Bluetooth (so no GPS), no sound, no fancy graphics, no file access -- nothing interesting.
There are other phones that play music and do a better job of surfing the internet for cheaper: often cheap enough that you could still buy an iPod nano if you wanted.
Those applications run just as well on other mobile browsers such as Opera Mobile, for those who like to use the full version. Have you not used mobile applications recently? WEP is dead and pages are now written with XHTML. In fact, with stylesheets, the same HTML can be designed for mobile and normal-sized devices.... and even after the iPhone's widely touted support for full-sized webpages, there are lots of people talking about how they can adapt their app to use the iPhone. Hmm....
For those who don't have the luxury of being in an iPhone-friendly wifi environment, not loading advertisements and (relatively) high-res GUI elements and logos can shave a noticeable amount of time off the loading time: on my 3G device, PayPal's mobile site takes 2 seconds to load. The full site takes almost 10 and uses 122k.
Without downloadable app support, you can't download games for your phone -- you're stuck with web apps. A
Re:HAHA (Score:3, Informative)
http://en.wikipedia.org/wiki/Compaq_Portable [wikipedia.org]
http://www.bizwaremagic.com/notebook-computer-his
hmm... the HP LaserJet was available in 1984 and Ventura Publisher came out in 1986 -- a lot of businesses were definitely using PC's for typesetting from the mid to late eighties. It just wasn't quite as cut and dried as you suggest.
Re:command list (mirror) (Score:3, Informative)
http://osxbook.com/book/bonus/chapter10/tpm/#EXEC
Re:I don't get it (Score:3, Informative)
You been to the US? This only happens on select carriers. FWIW AT&T and/or T-Mobile have the least crippled phones: they're just customized GSM phones like you'll find in the rest of the world.