Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Security Businesses Communications Handhelds Apple Hardware

iPhone Researchers Gain a Shell 242

Posted by Zonk
from the just-don't-play-three-card dept.
SkiifGeek writes "A team of researchers dedicated to finding means to fully control and interact with the new Apple iPhone claim to have successfully gained an interactive shell on the device. In order to achieve this feat physical access to the phone is required, as it relies on some minor electronics to be created and connected to the phone's serial port. It is believed that general control over the iPhone will be available to the enterprising researchers within a week (after all, it has only just been a week since the iPhone was released), with the promise of enough control to allow for self-propagating code not very far away."
This discussion has been archived. No new comments can be posted.

iPhone Researchers Gain a Shell

Comments Filter:
  • by Anonymous Coward on Friday July 06, 2007 @10:20PM (#19776469)

    iPhone Researchers Gain a Shell
    So ... they're now more turtle-like? Or becoming hardened from low blow attacks about prices?

    And calling them 'researchers?' Oh, come on. 'Hacker' is an appropriate term, just ask Paul Graham [paulgraham.com].
    • Re:Turtle Power! (Score:5, Interesting)

      by Anonymous Coward on Saturday July 07, 2007 @12:27AM (#19777227)
      The difference between a "researcher" and a "hacker" is that a "researcher" works in a nice shiny office building or school campus, while a "hacker" works at home or his mom's basement.

      Seriously, if blogs mean anybody can become a journalist, if open source means anybody can write code used in mission critical systems, I think it's only fair that any random curious person can be a "researcher".
  • by larry bagina (561269) on Friday July 06, 2007 @10:24PM (#19776501) Journal
    command list:
            help this list
            script run script at specific address
            go jump directly to address
            bootx boot a kernel cache at specified address
            diags boot into diagnostics (if present)
            tsys boot into tsys (if present)
            bdev block device commands
            image flash image inspection
            fs file system commands
            fsboot try to boot kernel at /kernelcache
            devicetree create a device tree from the specified address
            ramdisk create a ramdisk from the specified address
            tftp tftp via ethernet to/from device
            eload tftp via ethernet from hardcoded install server
            halt halt the system (good for JTAG)
            reboot reboot the device
            poweroff power off the device
            md memory display - 32bit
            mdh memory display - 16bit
            mdb memory display - 8bit
            mw memory write - 32bit
            mwh memory write - 16bit
            mwb memory write - 8bit
            mws memory write - string
            crc POSIX 1003.2 checksum of memory
            task examine system tasks
            printenv print one or all environment variables
            setenv set an environment variable
            clearenv clear all environment variables
            saveenv save current environment to flash
            run use contents of environment var as script
            bgcolor set the display background color
            setpicture set the image on the display
            iic iic read/write
            radio Manipulate the radio board.
            setbusclock Set bus clock to the given frequency in Hz.
            setcorevoltage Set core voltage to the given voltage in mV.
            syscfg flash SysCfg inspection
            charge Manage the charger chip.
            powernvram Access Power NVRAM.
            usb run a USB command
            nand nand flash routines
            chunk chunk a file7/6/2007
    • by iluvcapra (782887) on Friday July 06, 2007 @10:44PM (#19776637)

      It looks a lot like an old forth/open firmware prompt, kind of like on PowerMacs. On PowerMacs you could get a list like this when you booted while holding down some magic keys. You could even open a remote session on your open firmware if you set a server running on the target machine (this required physical access to the target machine at boot time).

      If this is really what it looks like, then it's really low-level access to the hardware. OTOH, it requires physical access to the iPhone, and once you got the thing up the bootloader is likely to blow away most of the low-level environment. The real crown jewels would be decryption of the binaries on the phone, plus breaking the various validations and checksums the iphone's doing before it runs, so yous could patch them to do your evil, but that's a bigger hack.

      • by karmatic (776420) on Friday July 06, 2007 @10:49PM (#19776665)
        Actually, it's been reported that the iPhone doesn't require signed binaries. You can swap and modify them at will.

        There's a restore image, and they have managed to decrypt, extract, and modify said image before sending it to the phone. The executables aren't encrypted or signed on the device; however, the restore image has a password. They have the password.

        • by abes (82351) on Saturday July 07, 2007 @12:09AM (#19777137) Homepage
          I hope that this is true. I am really itching to write apps for the iPhone. The interface makes it an interesting device. The problem that most people have when reviewing it is that they have to compare it to already known devices. Yes, the keyboard won't be as good as a real hardware for typing speed. However, it does open the possibilities of things previously not possible, such as modifiable keyboard (except for that vapor-ware one with the OLED keys). Additionally, the Jeff Han video has shown some other cool possibilities (beyond the stretch thing that is currently used .. which is cool, but doesn't mean more isn't possible).

          It's interesting to see how Apple has so far managed security. Unlike other companies, at least so far, they don't seem set on complete lock down. For example, so far they seem only to use the Trusted Computing to make their OS run on Apple hardware only. They could be a lot more evil with it. Even the DRM on their music. While the change it up occasionally, they at least haven't made a lot of sound about PlayFair.

          As for the iPhone, it might be a matter that they're fine with people hacking it, as long as they don't have to be held responsible for it. That is, if your iPhone starts crashing, it's because you put programs on it that you weren't supposed to. Doing so also allows them to watch what other people are doing with the HW (free R&D). It's somewhat similar to what the did with Bootcamp. They didn't actively stop people from getting Windows booting on the Intel computers, but they also didn't help.

          I guess the two telling signs of this will be if: (a) Apple patches this with their next update (an update coming real soon?), and (b) if they force signed binaries to run on the iPhone.
          • For example, so far they seem only to use the Trusted Computing to make their OS run on Apple hardware only.

            Apple doesn't use Trusted Computing [boingboing.net].

            • by abes (82351)
              As noted in that article, that's only true for the newer Mac Pros. Though, it was my understanding that Apple previously used it to make sure their OS wouldn't run on non-apple HW... if they dropped it from the Mac Pros, I wonder if they are going to continue to do this.

              Anyways, the iPhone runs the ARM processor (most likely from Samsung, as several sources have suggested). I am led to believe from those articles that the ARM processors have a Trusted Computer Mode built in, so it's there regardless of whet
              • by Reverberant (303566) on Saturday July 07, 2007 @01:27AM (#19777547) Homepage

                From the Singh [osxbook.com] linked in the Boing Boing segment:

                The media has been discussing "Apple's use of TPM" for a long time now. There have been numerous reports of system attackers bypassing "Apple's TPM protection" and finding "Apple's TPM keys." Nevertheless, it is important to note that Apple does not use the TPM. If you have a TPM-equipped Macintosh computer, you can use the TPM for its intended purpose, with no side effect on the normal working of Mac OS X.
                • by abes (82351)
                  That is indeed what Singh claims, and for the most part I believe him to be completely correct. Apple does not use TPM for applications running on the OS. HOWEVER, if you might remember, OS X did not easily run on non-apple PCs, even though in theory they should be the same. Articles such as:

                  http://daringfireball.net/2005/08/trusted [daringfireball.net]

                  state that Apple specifically used TPM as a means to keep OS X running only on signed Apple HW. This is based off of what the OSx86 grouped claimed (who wrote the hack to get it
                  • by iluvcapra (782887) on Saturday July 07, 2007 @02:10AM (#19777715)

                    I believe Gruber was misinformed on the issue (first time that ever happened, surely.) My Intel Macbook and Intel Mac Pro do not have a TPM:

                    $ ioreg | grep tpm

                    $ ioreg | grep TPM

                    $ ioreg | grep infineon

                    I'm not just taking ioreg's word for it, at least in the case of the Mac Pro. I've opened it and can't find an infineon or any other unaccounted-for LPC IC.

                    Just because it's hard for J. Random Cracker to get an OS running on a hardware platform it's not supported on, without the source code. doesn't mean someone's lying. Further, the teardowns of the iPhone available on the internet include no mention of a trusted platform module, which is a physical artifact, not an "implementation."

                    (Let us not forget of course, the presence of the Dont_Steal_Mac_OS_X device, whose manifestation and theory of operation remain shrouded in mystery ;P)

                  • Articles such as: [DaringFireball] state that Apple specifically used TPM as a means to keep OS X running only on signed Apple HW. This is based off of what the OSx86 grouped claimed (who wrote the hack to get it working on the PCs). So if it's not true, then either they're lying, the hack doesn't really work, or there's misinformation about what happened.

                    That was based on the developer hardware that Apple shipped prior to the Intel transition (look at the date of the DF article - the first Intel Mac shipped on Jan 2006 [apple-history.com]). Production MacIntels never shipped with TPM support. Apple uses encrypted binaries [osxbook.com] to prevent Mac OS X from running on non-Apple Intel hardware.

                    I know it doesn't matter in the context of the iPhone, but I'm just trying to correct the misperception that Apple uses/used TPM on their shipping Macs - they don't

                    • by abes (82351)
                      I posted this above, but:

                      1. I assure you I am typing right now on a Mactel computer (Macbook Pro) which does indeed have TPM (ioreg confirms this)

                      2. The people who got it running on non-apple PCs claim they had to work around TPM:

                      http://wiki.osx86project.org/wiki/index.php/Techni cal_FAQ [osx86project.org]

                      3. Yes, but we're not talking about the applications that Apple uses in general, and thus has nothing to do with encrypted binaries. Again, according to their FAQ this is primarily done for installation of OS X and for using
          • As for the iPhone, it might be a matter that they're fine with people hacking it, as long as they don't have to be held responsible for it. That is, if your iPhone starts crashing, it's because you put programs on it that you weren't supposed to.

            If this was the case, why not just release an SDK?

            I also doubt anyone will crack the UI interfaces to the point that we can create iPhone-UI apps. Where would we get the libraries from?
            • by abes (82351)
              As for the SDK, it depends on which theory you buy into. Some suggest Apple is still cleaning things up, and once they do they will release an SDK. Perhaps it's dependent on XCode 3.0, which case we won't expect it until October. But then why wouldn't Apple just say so...? Jobs works in mysterious ways...

              If they aren't planning on releasing an SDK, it might be a matter of simply waiting to see if anything worthwhile comes along. It's no skin off their back if people hack it and put their own apps on it. If
    • by Provocateur (133110) on Saturday July 07, 2007 @12:52AM (#19777383) Homepage
      Don't forget the essentials:
      IDSPISPOPD - no clipping (walk through walls with iPhone)
      IDBEHOLDS - Berserker! With iPhone!
      IDDQD - God/Steve Jobs mode (not just a seafood restaurant, but a reservation at that restaurant)
  • by n2rjt (88804) on Friday July 06, 2007 @10:26PM (#19776523) Journal
    The list of commands given make it sound more like a boot loader than a shell.
    • by Ungrounded Lightning (62228) on Friday July 06, 2007 @10:41PM (#19776607) Journal
      The list of commands given make it sound more like a boot loader than a shell.

      Yep. Sounds like a bootstrapping and image management firmware. (A pretty capable one, though. Not some minimalist system launcher.)

      But isn't that what you WANT if you're trying to establish control of your machine? Why live within the old image's limitations if you can replace it?

      Meanwhile this has lots of debugging and control tools suitable for tweaking and reverse-engineering the running image And that command list sure looks like it will let you load and launch a debugging tool that's more capable and give that tool even more control of the running system than is built into this firmware.

      This machine is about to be opened, whether Apple likes it or not.

      (I wouldn't be surprised if - at some level within the company - they really wanted it to be opened and only launched it in closed form so they could write contracts with networking companies and obtain FCC type approval. Plausible deniability at work.)
      • by gkhan1 (886823)

        Could you please explain the difference? It seems like a shell to me. I mean, tftp isn't something you launch from a boot loader, is it?

        • Re: (Score:3, Informative)

          by jmorris42 (1458) *
          > I mean, tftp isn't something you launch from a boot loader, is it?

          Said by someone who thinks a PC BIOS is a boot loader. New World (iMac forward?) and newer Mac roms can do it, darned near every "workstation" can do it.

          Even a lot of $30 routers have boot loaders that can do tftp... once you solder on the headers to get at the serial console port like was done to the iPhone Heck, even a PC's PXE net booting involves DHCP to get an address/etc and then followed by a tftp.
          • by dfghjk (711126)
            "Said by someone who thinks a PC BIOS is a boot loader."

            What an asshole. Since when isn't it?
        • Actually it's fairly common, I believe. TFTP does stand for Trivial File Transfer Protocol. It's specifically designed to be simple and easy to implement.
        • by prockcore (543967)

          I mean, tftp isn't something you launch from a boot loader, is it?


          tftp is something you'd probably ONLY launch from a firmware interface... to download a kernel.

          The fact that there's an option to boot a specific kernel tells me that this is definitely a firmware command line. No OS is running yet.
        • by mikael (484)
          tftp is an embedded ftp client/server (Trivial FTP). It's built into the bootloader to support file transfers.

          When you're debugging embedded systems, you would telnet into several ports - one for diagnostic errors/warnings, another for sending boot/reboot/halt/load image/save image commands. The system would use TFTP to load/save images across the local network.
      • This device needs Linux.

        Get that, and still functioning as a phone, and life will be good.

        Apps? Yeah! Quick, somebody add multi-touch support to xeyes.
    • The list of commands given make it sound more like a boot loader than a shell.
      Indeed. In fact, it looks eerily like u-boot.
    • by garcia (6573) on Saturday July 07, 2007 @12:01AM (#19777109)
      Check out the iPhone Dev Wiki here [fiveforty.net]. As of 10:15 PM (July 6th) they are here [fiveforty.net]:

      * A serial console is now working to the device. It requires a 6.8k resistor from pin 21 to ground, and tie pin 11 (sergnd) to the real ground. You can use iPhoneInterface to send some commands in recovery mode (setenv debug-uarts 1, saveenv, and reboot), and then you'll be in the boot loader.

              * Some of us believe that the boot loader is the key to really unlocking the radio but we have several other approaches a serial console has enabled us to test. A few of us have been hard at work on some proof of concept code for these pieces, and we will release them as available.

              * We know exactly how to unlock the radio right now. The problem is, getting the commands to the radio has proved more difficult than we anticipated. We have a couple of different potential vectors:
                          o The boot loader's memory display and writing commands, or the ability to send commands to the radio directly using 'radio send'. Many of these commands report permission denied. We are interested in getting around this.
                          o bbupdater and imeisv can do interesting things with the radio. We are trying to get to the point where we can run these commands and get output back.

              * We have made some really good progress getting third party apps to run on the phone. More information on this will be available soon.
  • by suv4x4 (956391) on Friday July 06, 2007 @10:36PM (#19776571)
    There are thousands of phones out there - why concentrate such incredible efforts on the iPhone specifically? Don't the other phones out there need to... uhmmm...

    Oh, ok, the other phones have API and aren't locked to AT&T.

    I get it now.
    • We could be seeing some validation of the old theory that MS gets hacked more because it is so much more visible than other software (not that I buy into that as a sole reason for the number of MS exploits).

      OTOH I don't keep up with cellphone tech.. so maybe the iPhone really deserves this much attention. Last I heard, though, there were other phones out there that offered many more computer-like features than the iPhone... which I have heard lacks some very basic PDA-like features that are becoming standa
  • by Seumas (6865) on Friday July 06, 2007 @10:44PM (#19776633)
    As in iShelled out a lot of cash for this phone. Am I nuts?!
  • by timmarhy (659436) on Friday July 06, 2007 @10:49PM (#19776663)
    Take down notice is pending, you watch
  • Why hack when you can simply develop on one of the many more open mobile development platforms? Like for example Microsoft Windows Mobile?

    It's the classic tale that Apple seems to have not yet learnt, the only way to gain long term success in a market is to allow 3rd parties to develop under your platform and support you. If you fail to provide the appropriate level access to your systems your competition will, and those looking for a mobile development platform will move to the competition.

    Apple should b
    • by Thrudheim (910314) on Friday July 06, 2007 @11:41PM (#19777003)
      Not trying to flame here, but it never ceases to amaze me that people will just assume that Apple is completely short-sighted. There are billions of dollars at stake, and Apple has been working on this device for years. Do you really think that they haven't considered this carefully? That there is some "classic tale" that somehow people at Apple are too blind to see?

      Apple has learned many lessons, and many of them are much more relevant to the success of the iPhone than the decision in the early days of the Mac to not license the operating system. They have learned that you don't necessarily need the most apps, you need great apps. The iPhone, one way or another, will have great apps. From the iPod, they have learned that keeping full control over the device enables them to move more nimbly, unlike the cumbersome PlaysFor{not}Sure system developed by Microsoft.

      Windows Mobile is already out there and has been out there for years. Yet, the iPhone can come along and make an immediate, serious impact on the market. Apple knows what it is doing, and they will do with the iPhone what they need to do to keep it competitive.

      • Firstly let me start by saying the Apple II and the Apple MAC had far more hype surrounding it when they were first released than the IPhone does today. Without a bail out from Microsoft in the late 90's Apple and its platform would have perished.

        The measure of IPhones success will be 20 years from now, not at the time it's launched.

        As was the case with the PC market in it's early stages, from the user perspective there have been lots of issues and problems with Windows Mobile phones. Marrying an OS platf
      • by dfghjk (711126)
        "They have learned that you don't necessarily need the most apps, you need great apps. The iPhone, one way or another, will have great apps."

        When will the iPhone get great apps? So far the consensus is, and I agree since I own one, that the iPhone apps consistently have major shortcomings. The media app is good, google maps is good, everything else is substandard. Mail sucks, SMS is missing obvious features, calc is terrible, and other obvious apps are totally MIA.

        "From the iPod, they have learned that k
    • by gig (78408) on Saturday July 07, 2007 @12:27AM (#19777231)
      > It's the classic tale that Apple seems to have not yet learnt, the only way to gain long term success in a market
      > is to allow 3rd parties to develop under your platform and support you.

      You are making the mistake of thinking "3rd party development == C coders."

      The iPod has millions of third-party developers. They make music and movies. For example, Disney/Pixar, Dixie Chicks, Eminem, 20th Century Fox.

      The iPhone has millions of third-party developers. They make Web apps. For example, YouTube, Flickr, eBay, MySpace, Facebook, Twitter.

      An hour into your iPhone ownership you probably have the work of hundreds if not thousands of third-parties on your iPhone. Throughout an iPhone's two year life span (both the hardware and service contract are $X/month for 24 months) a typical user will probably have 1000x the third-party data in their iPhone than if they were using another phone. The iPhone has so much more storage, syncs so much more easily with your music and movies, and has a real Web browser and Wi-Fi so you can chew up a lot of Web over two years.

      So if your standard for greatness is third-parties then you have predicted iPhone's impending world domination.
      • by prockcore (543967)

        The iPhone has millions of third-party developers. They make Web apps. For example, YouTube, Flickr, eBay, MySpace, Facebook, Twitter.


        Interesting.. except that the iPhone can't actually use YouTube. Apple had to write a special program (in ObjC).
      • Nearly every phone for the last 6 or 7 years has supplied support for GPRS and web browsing. Contrary to popular belief HTML is not ideal for developing software applications. Basically HTML is a lowsy medium in which to express your creativity. So what makes the IPhone so special? ITunes? Most phones on the market let you play MP3's.
      • by Mr2001 (90979)

        The iPhone has so much more storage, syncs so much more easily with your music and movies,
        I guess you haven't looked at non-Apple phones lately. My phone uses microSD cards and costs $50. For what it costs to buy an iPhone, I could get over 40 gigabytes of storage, and copying files onto it is as simple as dragging stuff in Explorer (or if I wanted to sync, I could do it with WMP).
      • You are making the mistake of thinking "3rd party development == C coders."

        No, I'm making the mistake of thinking "applications" == "things that run on the phone".

        Web applets? I've used them on my Palm and Pocket PC, years before the iPhone was a twinkle in Steve's eye. Every device has these... they *also* run software on the device itself, so you can use them with the battery-eating radio shut down.

        One of the most popular classes of applications on the Palm, for example, are input methods. You want something faster than their predictive keyboard? Sorry, you're out of luck. You want an eBook reader that doesn't require you to be online the whole time you're reading? Uh-uh, you don't get that. An aplication I use all the time is a shopping list app... that I couldn't use on the iPhone even if it was available as a web applet because there's a big fat dead area near the back of my neighborhood supermarket.

        This doesn't mean that it won't be a popular device. A lot of people seem happy with fancy dumb phones, but claiming that this is in any way comparable to the ability to run real native applications, or that being able to run web applets is some kind of unique feature of the iPhone, is just daft. That's something the competition has been doing for almost a decade now, and unless the people writing the applets are particularly stupid they're almost all going to work on any handheld. Certainly the only ones I've found that are iPhone-only are ones that explicitly check to see if they're running on one.
      • by dfghjk (711126)
        "The iPod has millions of third-party developers. They make music and movies. For example, Disney/Pixar, Dixie Chicks, Eminem, 20th Century Fox.

        The iPhone has millions of third-party developers. They make Web apps. For example, YouTube, Flickr, eBay, MySpace, Facebook, Twitter."

        Bullshit and bullshit.

        "An hour into your iPhone ownership you probably have the work of hundreds if not thousands of third-parties on your iPhone."

        Bullshit.

        "Throughout an iPhone's two year life span (both the hardware and service con
  • by vrmlguy (120854) <<moc.liamg> <ta> <esywmas>> on Friday July 06, 2007 @11:06PM (#19776783) Homepage Journal
    Not that that's a bad thing. Here's Wikipedia:

    Open Firmware (also, OpenBoot) is a hardware-independent firmware (computer software which loads the operating system), developed by Mitch Bradley at Sun Microsystems, and used in post-NuBus PowerPC-based Apple Macintosh computers, Sun Microsystems SPARC based workstations and servers, IBM POWER systems, Pegasos systems, and the laptop designed by OLPC among others. It is available under a BSD license. The proposed Power Architecture Platform Reference will also be Open Firmware based. On those computers, Open Firmware fulfills the same tasks as BIOS does on PC computers.

    It is accessed, by users, by a Forth-based shell interface. Forth is a powerful high-level language. For example, it is possible to program Open Firmware to solve the Tower of Hanoi problem.
    So, can you run your vast collection of bash scripts? Probably not. But Forth is a pretty cool language that's fun to play with.
  • by Animats (122034) on Friday July 06, 2007 @11:24PM (#19776895) Homepage

    From the command list, they're talking to the boot loader, not the operating system. That's nice, but rather low level. You can load another operating system image, so there's the potential of booting a different OS, if someone writes the appropriate drivers. Somebody will probably boot Linux eventually, but mostly as a curiosity.

  • I now preemptively welcome our iPhone Skynet masters.

    Way to go!
  • by Speare (84249) on Friday July 06, 2007 @11:45PM (#19777031) Homepage Journal
    I just got back from seeing Live Free or Die Hard. That Mac Guy from the advertisements can hack into the electric grid of the entire eastern United States in a matter of minutes (all while distracted by that sexy new Japanese camera model that speaks his language, hajimemashite, say no more, say no more), using nothing but a little rollup USB keyboard and a stolen Verizon mobile. What the hell is taking YOU guys so long to hack into this iPhone thing? Think Different! ;)
  • Now that would have been something!

    Good luck, hope this leads to that otherwise I don't see the point.

    Nick Powers
  • Companies doing hardware digital signature lockdown never get it right the first time. Look at the Xbox. Xbox was hacked to hell. The 360, however, was not, having exactly one exploit against it that was patched before t was made public.

    Expect iPhone 2.0 to be unhackable, putting the per-phone keys to the boot loader in fuses inside the CPU.
    • I hope that Apple is sensible about this.

      The whole "no native API" thing on the iPhone is a ludicrous idea in the first place.

      The Xbox was designed to sell for less than the cost of manufacture and make up for it with games sales, and the end-users of the Xbox have a reason to WANT it to be locked down - to prevent other users cheating them.

      The iPhone has a nice fat 40%+ margin built in, and iPhone users don't (so far as I know) run around shooting each other with bluetooth bullets. Locking down the iPhone
  • This self-propagating code will need to be very advanced. "as it relies on some minor electronics to be created and connected to the phone's serial port" Scary!!!

You might have mail.

Working...