wk iOS list find blog view edit

iOS hacking

Firmware download

All firmwares from all iOS devices can be downloaded in this url:


In wikipedia there's a table with all firmware versions, changelog and baseband version included.

In this page you can find all decryption keys released for each firmware/version/device:


Opensource stuff:


Hack XCode to compile for ARM without certificates

Apple only allows to compile with gcc-arm in XCode when you provide a certificate which costs $99. You will have to associate the UDID (Unique Device ID) to the build, so you can only run legally one build on one device.

To get your app running in all devices you have to publish it in the Apple Store, so they sign it and cypher part of the binary to make it device-specific (this can be cracked with Crackulous tool found in cydia.hacklo.us repository)

Cydia provides a way to run unsigned programs in your device.. so you need to hack XCode to compile without the certificate. You can find the instructions here:



After flashing an official firmware on an iPhone, you'll need to activate it with iTunes. If the phone is locked you will need a SIM card from the proper operator.

There are methods to bypass this activation lock.

 * on ios 3.x you can use blackra1n
 * build custom firmware with PwnageTool
 * flash a whited00r firmware (custom cooked roms)

List all installed applications

An .IPA is just a .zip of the .app directory containing the application. To install it you should crack it with crackulous on the original device and then unzip the cracked IPA in /Applications.

for a in /Applications/*.app ; do
  prg=$(echo $a | cut -d / -f 3)
  printf "$prg\t$a\n"
for a in /var/mobile/Applications/*/*.app ; do
  prg=$(echo $a | cut -d / -f 6)
  printf "$prg\t$a\n"


To backup/restore data you can use "iobs". a tool that can be checked out here:

hg clone http://hg.youterm.com/toys

This program runs natively identifies various applications installed and tries to backup it.

I wrote this script to convert the AddressBook sqlite database into a VCARD list, so you can export/import it by attaching the resulting file in a mail. Keep that mail in your INBOX and after upgrading your phone just load it :)

# iOS AddressBook SQLite to VCARD
# Date: 2011-03-11
# Author: pancake<at>nopcode<dot>org


echo 'select ABPerson.first,ABPerson.last,ABMultiValue.value from ABPerson,ABMultiValue where ABMultiValue.record_id=ABPerson.ROWID;' | sqlite3 $DB | \
awk -F '|' '{print "BEGIN:VCARD\nVERSION:2.1\nFN:"$1$2"\nTEL;WORK;VOICE:"$3"\nEND:VCARD\n\n"}'

echo 'select name,value from ABRecent;' | sqlite3 $DB | \
awk -F '|' '{print "BEGIN:VCARD\nVERSION:2.1\nFN:"$1"\nEMAIL;PREF;INTERNET:"$2"\nEND:VCARD\n\n"}'

This script is named "ab2vcard" and it's distributed with iobs too.

NOTE: sqlite databases of official Apple applications can change between iOS versions. So copypasting the mail/sms/contacts sqlite file between different versions can result in crashes, inoperabilities, etc.. Always keep the original database file, do not overwrite it.
mv SMS.sqlitedb SMS.sqlitedb.orig
cp /tmp/SMS.sqlitedb .

Tethered Jailbreaks

Jailbreaks are not always complete. The types you may find out there are:

* untethered : fully working jailbreak
* tethered : the iphone will not boot until you exploit the bootloader and run a unsigned patched kernel that can run unsigned binaries from the jailbreaked rootfs.
* semi-tethered : when booting without assistent it will use the official Apple kernel. So only signed binaries will run and Cydia and other jb apps will not work. If you boot it with redsn0w you will get a fully usable jailbreaked foo.

redsn0w is a tool that can be used to boot a tethered device. You may pass the firmware (ipsw) to the program and click in "boot tethered right now" option.

For iPod Touch 2G i have a port of iRecovery that works on Linux with the redsn0w exploit to boot tethered ipod touch jailbreaked device.

Make DMG images from firmware mountable

You must change 'HX' to 'H+' at offset 0x400.

This is in r2:

$ r2 -w ramdisk.dmg
[0x00000000]> wx 2b @ 0x400
[0x00000000]> s 0x400
[0x00000400]> x
  offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x00000400 482b 0004 0000 0100 3130 2e30 0000 0000 H+......10.0....
0x00000410 c754 e89e c755 6c3e 0000 0000 c755 591e .T...Ul>.....UY.
0x00000420 0000 0054 0000 0034 0000 1000 0000 0c09 ...T...4........
0x00000430 0000 0000 0000 0001 0001 0000 0001 0000 ................

Install GCC

Cydia's GCC is broken, you need to do some tricks to make it work.
1) Install 'APT 0.7 Strict' package from cydia.
  apt-get install wget inetutils rsync
  apt-get install python setuptools

2) Download missing packages from lolcathost:
  wget http://lolcathost.org/b/libgcc_4.2-20080410-1-6_iphoneos-arm.deb
  wget http://lolcathost.org/b/libSystem.dylib

3) Install them
  dpkg -i libgcc_4.2-20080410-1-6_iphoneos-arm.deb
  apt-get install com.bigboss.20toolchain
  cp libSystem.dylib /usr/lib
  cd /usr/lib ; ln -sf libSystem.dylib libm.dylib
  apt-get install make vim gawk

4) /var/include/sys/stat.h is broken.
  Solution: add 'int foo[3];' after 'st_rdev' at line 178

5) install mercurial
  easy_install mercurial

People in Twitter


Set DFU/Recovery mode

To set the device in DFU mode just follow this steps:
 - plug cable
 - press power and home buttons
 - wait 10
 - release power button and keep pressing home for about 5 secs more

 The device screen will be just black, use iTunes or iRecovery to run commands in the bootloader

To set the device in recovery mode
 - unplug cable
 - press power button for a while and slide power off
 - plug cable while pressing home button until itunes+cable screen appears.

Flash whited00r in iphone3g

1) put device in dfu mode
2) flash 3.1.2 (7D11) firmware
3) run blackra1n to skip activation
4) put device in recovery mode
5) flash whited00r.ipsw
6) profit

Boot ramdisk

1. Prepare custom Apple iPhone RAM disk. Internet has tons of FAQs how to make it (for example with help of iLiberty+). Mount your RAM disk /dev/rdisk0s2 and delete file /mnt/mobile/Library/Preferences/com.apple.springboard.plist. This is a config which tells Springboard “passcode: on”.
2. Using any utility get your iPhone into “Recovery Mode” and after that upload RAM disk using something like this:

(iPHUC Recovery) #: filecopytophone Bypass_Passcode.bin
(iPHUC Recovery) #: cmd setenv\boot-args\rd=md0\-x\-s\pmd0=0×9340000.0xA00000
(iPHUC Recovery) #: cmd saveenv
(iPHUC Recovery) #: cmd bootx

3. Then reboot your iPhone and that’s it: protection by the password are not present anymore.

Congratulations you have hacked your first iPhone…

Boot order

The bootchain for the app-cpu is

VROM(Bootrom)->LLB->iBoot->Kernel->System Software

The entire boot chain (except the bootrom) resides on the NOR flash (some of the very latest devices like the iPod Touch 3G use NAND flash).

There is an open source version of iBoot openiboot at master from planetbeing's iphonelinux - GitHub that is used for iPhone Linux / iDroid I would start with that if I was interested in understanding the boot process.

Routing iOS via USB


To to the device SSH without wireless or 3G (USB)

* Download usbmuxd-1.0.6.tar.bz2
cd usbmuxd-1.0.6/python-client
python tcprelay.py -t 22:2222 &

Accessing the rootfs

You can use on MacOSX a program named 'iPhone explorer'. All files copied to the device with this protocol will be done with root permissions. this is why you will later need to fix them in the terminal
chown -R mobile /var/mobile/*

If the phone is not jailbreaked you can only access Media and Apps. If jailbreaked, you can access the whole rootfs. On Linux you can use this great library:

Cydia repositories

http://cydia.hackulo.us -- installous + crackulous

Unlock iPhone3G with 4.2.1 and BB 05.15.04

The only unlock possible is via IMEI. No exploits for this BaseBand or downgrade possible. game over.
Explanation here.

There's an update for PwnageTool 4.2 (friday is funday) which incorporates an exploit from @sherif_shahim. this tool can be used to generate a custom firmware activated and theorically unlocked (didnt work in my iphone3g (everything ok, but unlock))

IMEI unlock here (30€)

Playing with the baseband's SecZONE


Quit from reboot recovery mode

setenv auto-boot true

Decrypt the rootfs

Note that the rootfs and ramdisk are .dmg files in root of the .ipsw zip. See the following web to identify them. But basically the big one is the rootfs and the smallers ramdisk for update and restore.

Keys: http://theiphonewiki.com/wiki/index.php?title=VFDecrypt_Keys

To decrypt rootfs you need vfdecrypt tool ( git://github.com/dra1nerdrake/VFDecrypt.git )
Needs a patch to run in OSX.
$ vfdecrypt -i ROOTFS.dmg -k KEY -o DecryptedROOTFS.dmg

In OSX you can mount the dmg with 'open DecryptedROOTFS.dmg'

To get the key of the rootfs, you can use the tool genpass

./genpass s5l8900x ramdisk.dmg 018-4872-6.dmg

the 018-4872-6.dmg is the ciphered rootfs image and ramdisk.dmg is the unciphered one ramdisk.
s518900x is the device platform name:
s5l8900x = iPhone, iPhone 3G and iPod Touch 1G
s5l8720x = iPod Touch 2G
s5l8920x = iPhone 3GS
s5l8922x = iPod Touch 3G
s5l8930 = A4 Processor used by iPad, iPhone 4, and iPod Touch 4G


Decrypt the ramdisk

The ramdisk is ciphered with IV and KEY. Check keys fmi

Now use xpwntool from
xpwntool ramdisk.dmg decrypted-ramdisk.dmg -k KEY -iv IV -decrypt

$ r2 decrypted-ramdisk.dmg
]> m hfsplus / 0
]> md /

Use DiskUtility in OSX to mount the dmg. This is a raw HFS image. not like the rootfs which is a whole disk image.

RamDisk with SSH


Upgrading baseband

To upgrade the baseband (in iPhone3G) you must get the BB30 binary from the Fuzzyband application (Cydia) this binary is also named BBUpdaterExtreme and 'bbupdater'. You can use this tool to talk to the radio chip.

launchctl unload /System/Library/LaunchDaemons/com.apple.CommCenter.plist
./BB30 queryversion # get radio version information
./BB30 update -f ICE2_05.12.01.fls -e ICE2_05.12.01.eep
launchctl load /System/Library/LaunchDaemons/com.apple.CommCenter.plist

This command depends on the Bootloader version to work properly.

Theorically you can't downgrade with this tool. Only Upgrade :( i have tested and it just resets the simlock so you get nothing good with it.

The ICE*.[fls|eep] files must be extracted from the update/recovery ramdisk of the firmware. Those files are located in this path:

See instructions above to decrypt and mount the ramdisk image

Other commands to use with BB30:
BBUpdaterExtreme help [unknown option] [?]
BBUpdaterExtreme queryversion | prints the current status of baseband firmware
BBUpdaterExtreme update -f ICE2_xx.xx.xx.fls -e ICE2_xx.xx.xx.eep | UPDATES ( not downgrades!!! ) Firmware version
BBUpdaterExtreme imeisv [option] | changes the imeisv value
BBUpdaterExtreme automatic -S -F [or -L for BL] | for automatic update (while firmware restores)
BBUpdaterExtreme audioparameters [?]
BBUpdaterExtreme ice3dump [?]
BBUpdaterExtreme staticeep [?]

To remove all dirty changes in your baseband check this tool.


geohot vs musclenerd


Patching iBoot with IDA


Wireless problems


No solution yet? :((