Hackers a step closer to unlocking iPhone
Published: 10 Jul 2007 10:00 BST
Reverse engineers are now able to activate an iPhone without an AT&T account and can gain shell access via a serial connection.
This follows last week's discovery of the iPhone's root password in a system recovery image. All hacks occurred within nine days since the iPhone was released in the US.
Jon Lech Johansen announced on his blog that he has developed a method for activating an iPhone without an account from telecommunications carrier AT&T. After the hack, most of the iPhone's functions work — for example, the wireless capabilities and music playback feature — but it can't be used as a phone.
The hack involves editing the machine code of iTunes using a hex editor and changing the PC's hosts file to trick the iPhone into activating locally without connecting to an apple server. The hosts file controls to which location a domain name (such as www.zdnet.co.uk) points to on the internet.
Currently the hack only works under Windows, as it requires the .Net 2.0 framework. The process will work on a Macintosh using Parallels, however.
VIDEO
Dialogue Box 4.3: Does the iPhone 3G mean business?
Dialogue Box hooks up its shiny new iPhone 3G to Exchange Server, and has an 'email-off' with a keyboard-equipped Windows Mobile smartphone...
Discussion has sprung up around the unofficial hub of iPhone hacking, the hackint0sh.org forums. Reports from community enthusiasts are positive about the results of the hack, speculating that it may become a major step on the road to using an iPhone on a non-AT&T network, which would allow its use outside the US.
In a second hack, enterprising hackers have gained access to an interactive shell through a serial connection. This allows terminal access to the phone's boot loader, which controls the software image that is loaded when the iPhone starts up. The process involves hand soldering the iPhone dock and exposing a serial port, presumably intended for debugging.
This breakthrough is by no means the end of the road, one of the hackers working on the reverse-engineering process, going by the name "geohot", posted on the iPhone Dev Wiki: "The serial interface isn't really as great as it sounds... We know how to unlock the phone. Unfortunately, the commands needed gave 'permission denied' errors."
The hack resulted in a list of the commands the iPhone will accept through the interactive shell — should the permission issue be bypassed. The commands give access to the iPhone's memory as well as allowing the booting of a custom software image or running of a custom script. This will allow unrestricted access to the device.
Another iPhone hacker, who wished only to be identified as "gj", gave a progress update: "Initially we thought the serial shell was a big breakthrough because we had hoped it would let us write directly to the radio [module]. We know that, once we can do that, there is a very good chance we can unlock the phone. Unfortunately the boot loader [which is what's accessed by the serial shell, at least partially] is all 'permission denied'... I'm not sure if it's a dead end or not; it is a valuable capability on a number of fronts but I can't really tell you if it will bring us where we want."
Subsequently, the iPhone Dev Wiki team reported that "ringtones would be a 'trivial' thing to do now", although "the boot loader is basically a dead end... Fortunately we have another in."
Did you find this article useful?
20 out of 24 people found this useful
- Share this article:
