iPhone Researchers Gain a Shell

SkiifGeek writes "A team of researchers dedicated to finding means to fully control and interact with the new Apple iPhone claim to have successfully gained an interactive shell on the device. In order to achieve this feat physical access to the phone is required, as it relies on some minor electronics to be created and connected to the phone's serial port. It is believed that general control over the iPhone will be available to the enterprising researchers within a week (after all, it has only just been a week since the iPhone was released), with the promise of enough control to allow for self-propagating code not very far away."

Re:"self-propagating code"

[Anonymous Coward]

A vaccine doesn't propagate. It's dead.

Self-propagating always means 'bad'.

But that's what you WANT.

[Ungrounded Lightning]

The list of commands given make it sound more like a boot loader than a shell.

Yep. Sounds like a bootstrapping and image management firmware. (A pretty capable one, though. Not some minimalist system launcher.)

But isn't that what you WANT if you're trying to establish control of your machine? Why live within the old image's limitations if you can replace it?

Meanwhile this has lots of debugging and control tools suitable for tweaking and reverse-engineering the running image And that command list sure looks like it will let you load and launch a debugging tool that's more capable and give that tool even more control of the running system than is built into this firmware.

This machine is about to be opened, whether Apple likes it or not.

(I wouldn't be surprised if - at some level within the company - they really wanted it to be opened and only launched it in closed form so they could write contracts with networking companies and obtain FCC type approval. Plausible deniability at work.)

Re:command list (mirror)

[karmatic]

Actually, it's been reported that the iPhone doesn't require signed binaries. You can swap and modify them at will.

There's a restore image, and they have managed to decrypt, extract, and modify said image before sending it to the phone. The executables aren't encrypted or signed on the device; however, the restore image has a password. They have the password.

Re:I don't get it

[suv4x4]

Have ANY of those others been even nearly as successful as the iPhone has already been?

I advise you to look at hard numbers when talking about success, since "recent hype" metrics are wildly inaccurate.

For example, let's see, I have a Sony Ericsson. How many were sold from this one model? 22 million in Q1 2007 (3 months).

How many has iPhone sold? 0.5 million. Of course, iPhone is just hot out of the oven, but I only trust numbers, so I'll wait and see how it does for, say, 3 months.

If it tops other phone makers, I'll agree with your sentiment.

That's not a shell. That's the boot loader.

[Animats]

From the command list, they're talking to the boot loader, not the operating system. That's nice, but rather low level. You can load another operating system image, so there's the potential of booting a different OS, if someone writes the appropriate drivers. Somebody will probably boot Linux eventually, but mostly as a curiosity.

Re:I don't get it

[jonwil]

The problem is, many carriers disable self-made applications or require apps to be signed with a carrier or manufacturer key (e.g. Verizon and BREW for the most annoying example) or they disable features that would otherwise be accessible to unsigned apps (e.g. t-mobile and their recent changes so only signed J2ME apps can access the internet on their phones)

Re:command list (mirror)

[abes]

I hope that this is true. I am really itching to write apps for the iPhone. The interface makes it an interesting device. The problem that most people have when reviewing it is that they have to compare it to already known devices. Yes, the keyboard won't be as good as a real hardware for typing speed. However, it does open the possibilities of things previously not possible, such as modifiable keyboard (except for that vapor-ware one with the OLED keys). Additionally, the Jeff Han video has shown some other cool possibilities (beyond the stretch thing that is currently used .. which is cool, but doesn't mean more isn't possible).

It's interesting to see how Apple has so far managed security. Unlike other companies, at least so far, they don't seem set on complete lock down. For example, so far they seem only to use the Trusted Computing to make their OS run on Apple hardware only. They could be a lot more evil with it. Even the DRM on their music. While the change it up occasionally, they at least haven't made a lot of sound about PlayFair.

As for the iPhone, it might be a matter that they're fine with people hacking it, as long as they don't have to be held responsible for it. That is, if your iPhone starts crashing, it's because you put programs on it that you weren't supposed to. Doing so also allows them to watch what other people are doing with the HW (free R&D). It's somewhat similar to what the did with Bootcamp. They didn't actively stop people from getting Windows booting on the Intel computers, but they also didn't help.

I guess the two telling signs of this will be if: (a) Apple patches this with their next update (an update coming real soon?), and (b) if they force signed binaries to run on the iPhone.

Re:Turtle Power!

[Anonymous Coward]

The difference between a "researcher" and a "hacker" is that a "researcher" works in a nice shiny office building or school campus, while a "hacker" works at home or his mom's basement.

Seriously, if blogs mean anybody can become a journalist, if open source means anybody can write code used in mission critical systems, I think it's only fair that any random curious person can be a "researcher".

Re:command list (mirror)

[Reverberant]

From the Singh [osxbook.com] linked in the Boing Boing segment:

The media has been discussing "Apple's use of TPM" for a long time now. There have been numerous reports of system attackers bypassing "Apple's TPM protection" and finding "Apple's TPM keys." Nevertheless, it is important to note that Apple does not use the TPM. If you have a TPM-equipped Macintosh computer, you can use the TPM for its intended purpose, with no side effect on the normal working of Mac OS X.

Re:HAHA

[vrmlguy]

Do you know what "open" means? Compaq merely copied what IBM had opened. Out in the garage, I've still got the manual for my IBM PC-XT, which included a complete listing of the BIOS. It was as open as anything RMS could have hoped for at the time. Nothing except ownership of an EPROM programmer kept you from making your own version for private use. The only restriction was that you couldn't re-publish your work since IBM had a copyright on the code that they wouldn't share. Compaq apparently did a clean-room re-implementation of the BIOS because IBM left them alone; other manufacturers of clones simply copied the IBM BIOS and IBM came donw on them like a ton of bricks.

Re:That's quite a jump

[smilindog2000]

The hard part will be building a useful boot image. I'll bet Apple pulled their shell from their release image, meaning there's no shell to run. Writing applications for iPhone is the real goal, and doing that without access to Apple's build system is going to be really hard. I suppose if they can reverse engineer what all the peripherals are and how to communicate with them, then somebody can begin porting Linux to it (they did it with iPod). That wont let you write and share applications with friends who have normal iPhones.

I understand Steve Job's reluctance to have all of us geeks gain full control over the radio and low-level network protocols that run over the radio, but couldn't he put that code in a different closed-source controller, and give us the ability to write apps?

Re:command list (mirror)

[Anonymous Coward]

It's possible that the developer preview version of OSx86 made use of the TPM. After all, that machine had a BIOS and was more-or-less a generic x86 machine in an Apple case. The production units, though, use EFI instead of a BIOS. Mac OS X makes heavy use of EFI's capabilities to replace some of what was lost from OpenFirmware. It makes no use of the TPM. The only reason the current Intel release of Tiger doesn't run on generic hardware is that the generic hardware doesn't have the EFI which OS X depends on.