All firmwares from all iOS devices can be downloaded in this url:
In wikipedia there's a table with all firmware versions, changelog and baseband version included.
In this page you can find all decryption keys released for each firmware/version/device:
Hack XCode to compile for ARM without certificates
Apple only allows to compile with gcc-arm in XCode when you provide a certificate which costs $99. You will have to associate the UDID (Unique Device ID) to the build, so you can only run legally one build on one device.
To get your app running in all devices you have to publish it in the Apple Store, so they sign it and cypher part of the binary to make it device-specific (this can be cracked with Crackulous tool found in cydia.hacklo.us repository)
Cydia provides a way to run unsigned programs in your device.. so you need to hack XCode to compile without the certificate. You can find the instructions here:
After flashing an official firmware on an iPhone, you'll need to activate it with iTunes. If the phone is locked you will need a SIM card from the proper operator.
There are methods to bypass this activation lock.
* on ios 3.x you can use blackra1n
* build custom firmware with PwnageTool
* flash a whited00r firmware (custom cooked roms)
List all installed applications
An .IPA is just a .zip of the .app directory containing the application. To install it you should crack it with crackulous on the original device and then unzip the cracked IPA in /Applications.
To backup/restore data you can use "iobs". a tool that can be checked out here:
This program runs natively identifies various applications installed and tries to backup it.
I wrote this script to convert the AddressBook sqlite database into a VCARD list, so you can export/import it by attaching the resulting file in a mail. Keep that mail in your INBOX and after upgrading your phone just load it :)
This script is named "ab2vcard" and it's distributed with iobs too.
NOTE: sqlite databases of official Apple applications can change between iOS versions. So copypasting the mail/sms/contacts sqlite file between different versions can result in crashes, inoperabilities, etc.. Always keep the original database file, do not overwrite it.
Jailbreaks are not always complete. The types you may find out there are:
* untethered : fully working jailbreak
* tethered : the iphone will not boot until you exploit the bootloader and run a unsigned patched kernel that can run unsigned binaries from the jailbreaked rootfs.
* semi-tethered : when booting without assistent it will use the official Apple kernel. So only signed binaries will run and Cydia and other jb apps will not work. If you boot it with redsn0w you will get a fully usable jailbreaked foo.
redsn0w is a tool that can be used to boot a tethered device. You may pass the firmware (ipsw) to the program and click in "boot tethered right now" option.
For iPod Touch 2G i have a port of iRecovery that works on Linux with the redsn0w exploit to boot tethered ipod touch jailbreaked device.
Make DMG images from firmware mountable
You must change 'HX' to 'H+' at offset 0x400.
This is in r2:
Cydia's GCC is broken, you need to do some tricks to make it work.
People in Twitter
Set DFU/Recovery mode
To set the device in DFU mode just follow this steps:
- plug cable
- press power and home buttons
- wait 10
- release power button and keep pressing home for about 5 secs more
The device screen will be just black, use iTunes or iRecovery to run commands in the bootloader
To set the device in recovery mode
- unplug cable
- press power button for a while and slide power off
- plug cable while pressing home button until itunes+cable screen appears.
Flash whited00r in iphone3g
1) put device in dfu mode
2) flash 3.1.2 (7D11) firmware
3) run blackra1n to skip activation
4) put device in recovery mode
5) flash whited00r.ipsw
1. Prepare custom Apple iPhone RAM disk. Internet has tons of FAQs how to make it (for example with help of iLiberty+). Mount your RAM disk /dev/rdisk0s2 and delete file /mnt/mobile/Library/Preferences/com.apple.springboard.plist. This is a config which tells Springboard “passcode: on”.
2. Using any utility get your iPhone into “Recovery Mode” and after that upload RAM disk using something like this:
3. Then reboot your iPhone and that’s it: protection by the password are not present anymore.
Congratulations you have hacked your first iPhone…
The bootchain for the app-cpu is
The entire boot chain (except the bootrom) resides on the NOR flash (some of the very latest devices like the iPod Touch 3G use NAND flash).
There is an open source version of iBoot openiboot at master from planetbeing's iphonelinux - GitHub that is used for iPhone Linux / iDroid I would start with that if I was interested in understanding the boot process.
Routing iOS via USB
To to the device SSH without wireless or 3G (USB)
* Download usbmuxd-1.0.6.tar.bz2
Accessing the rootfs
You can use on MacOSX a program named 'iPhone explorer'. All files copied to the device with this protocol will be done with root permissions. this is why you will later need to fix them in the terminal
If the phone is not jailbreaked you can only access Media and Apps. If jailbreaked, you can access the whole rootfs. On Linux you can use this great library:
http://cydia.hackulo.us -- installous + crackulous
Unlock iPhone3G with 4.2.1 and BB 05.15.04
The only unlock possible is via IMEI. No exploits for this BaseBand or downgrade possible. game over.
There's an update for PwnageTool 4.2 (friday is funday) which incorporates an exploit from @sherif_shahim. this tool can be used to generate a custom firmware activated and theorically unlocked (didnt work in my iphone3g (everything ok, but unlock))
IMEI unlock here (30€)
Playing with the baseband's SecZONE
Quit from reboot recovery mode
Decrypt the rootfs
Note that the rootfs and ramdisk are .dmg files in root of the .ipsw zip. See the following web to identify them. But basically the big one is the rootfs and the smallers ramdisk for update and restore.
To decrypt rootfs you need vfdecrypt tool ( git://github.com/dra1nerdrake/VFDecrypt.git )
Needs a patch to run in OSX.
In OSX you can mount the dmg with 'open DecryptedROOTFS.dmg'
To get the key of the rootfs, you can use the tool genpass
the 018-4872-6.dmg is the ciphered rootfs image and ramdisk.dmg is the unciphered one ramdisk.
s518900x is the device platform name:
Decrypt the ramdisk
The ramdisk is ciphered with IV and KEY. Check keys fmi
Now use xpwntool from
Use DiskUtility in OSX to mount the dmg. This is a raw HFS image. not like the rootfs which is a whole disk image.
RamDisk with SSH
To upgrade the baseband (in iPhone3G) you must get the BB30 binary from the Fuzzyband application (Cydia) this binary is also named BBUpdaterExtreme and 'bbupdater'. You can use this tool to talk to the radio chip.
This command depends on the Bootloader version to work properly.
Theorically you can't downgrade with this tool. Only Upgrade :( i have tested and it just resets the simlock so you get nothing good with it.
The ICE*.[fls|eep] files must be extracted from the update/recovery ramdisk of the firmware. Those files are located in this path:
See instructions above to decrypt and mount the ramdisk image
Other commands to use with BB30:
To remove all dirty changes in your baseband check this tool.
geohot vs musclenerd
Patching iBoot with IDA
No solution yet? :((