IT APPEARS THAT THE iPHONE 3GS HAS BEEN (SEMI) PWNED!

Edit: He has also added a ramdisk key (http://outgoing.ipodtouchfans.com/?d=aHR0cDovL2lwaG9uZWp0YWcuYmxvZ3Nwb3QuY29tLw%7E%7 E) if that is of any interest. It means we are one step closer to jailbreak :D AND heres the vfdecrypt key: 7D779FED28961506CA9443DE210224F211790192B2A2308B8B C0E7D4A

On http://iphonejtag.blogspot.com (http://outgoing.ipodtouchfans.com/?d=aHR0cDovL2lwaG9uZWp0YWcuYmxvZ3Nwb3QuY29t) it appears that GeoHot has pwned (by pwned i mean an iboot exploit) the iPhone 3GS. He has posted the makings of the jailbreak for the new iPhone 3GS (N88AP) (entitled 'no sn0w in summer). Only time will tell to see how this develops but i think we have another iDevice in the bag (with a bit more work)!

Check Image Below for Proof:

http://www.ipodtouchfans.com/forums/imgcache2/46369.png

Saw this earlier. Looks sweet :).

Saw this earlier. Looks sweet :).
sounds like good news for the iphone community. It shouldn't be too long til all the devs make a jailbreak with a bit of luck

Oh F*cking sweet!! If he can get it fully jailbroken before apple releases another FW update, then we can unlock them with ultras0w!! They run the exact same BB on the exact same BB hardware.

It's been a rollercoaster ride here this last two weeks! I want to get off! :p

epic win :P

Oh F*cking sweet!! If he can get it fully jailbroken before apple releases another FW update, then we can unlock them with ultras0w!! They run the exact same BB on the exact same BB hardware.

Even if Apple does release a new firmware update, just don't update?

Anyone notice this?

http://www.ipodtouchfans.com/forums/attachment.php?attachmentid=39146&d=1245785120


http://purplera1n.com/

epic :P

Anyone notice this?

http://www.ipodtouchfans.com/forums/attachment.php?attachmentid=39146&d=1245785120


http://purplera1n.com/
yeah, i was gonna post it but i didn't get round to it lol

woooo!

im so psyched! i thought itd be a while!

wooo, i hope he will get it to work!

we ( iphone 3G owners) need the voice control and video recording. so i this works, then someone could port those apps to the 3G!:D

geohot is seriously amazing.

And I don't like that Apple is getting smarter, the new ECID stuff is bad news for everyone.
I have a feeling that they'll be able to shut those who aren't early adopters out if this hinges on any kind of software exploit, even just initially like the iPod 2G.

If you're wondering what this ECID stuff is, read the second most recent blog entry.
If you don't feel like it, just know it's bad for both iPhone and iPod owners.

Anyone notice this?

http://www.ipodtouchfans.com/forums/attachment.php?attachmentid=39146&d=1245785120


http://purplera1n.com/

howd you find that?

Interesting.

geohot is seriously amazing.

And I don't like that Apple is getting smarter, the new ECID stuff is bad news for everyone.
I have a feeling that they'll be able to shut those who aren't early adopters out if this hinges on any kind of software exploit, even just initially like the iPod 2G.

If you're wondering what this ECID stuff is, read the second most recent blog entry.
If you don't feel like it, just know it's bad for both iPhone and iPod owners.

Does that ECID stuff apply to all iphones or just the 3GS? Ether way as long as we have the hardware exploits (pwnage) ECID does not really matter. Thats what I got from the post anyway.

howd you find that?

Interesting.
its down under the commands heading in the cmd window

wooo, i hope he will get it to work!

we ( iphone 3G owners) need the voice control and video recording. so i this works, then someone could port those apps to the 3G!:D

Check out this link (http://outgoing.ipodtouchfans.com/?d=aHR0cDovL2lzcGF6aW8ud29yZHByZXNzLmNvbS8yMDA5LzA 2LzIzL2d1aWRhLWFsbGF0dGl2YXppb25lLWRlbGxlLWZ1bnppb 25hbGl0YS1wZXItbW9kaWZpY2FyZS1pLXZpZGVvLXN1bGxpcGh vbmUtZWRnZS1lLTNnLw%7E%7E) on iSpazio for unlocking video editing and other goodie on the 3G and EDGE generations. It's in italian but i'm sure google translate will do most of the work for you ;)

George Hotz is one crazy guy.. hes only 19! GeoHot FTW

its down under the commands heading in the cmd window



Check out this link (http://outgoing.ipodtouchfans.com/?d=aHR0cDovL2lzcGF6aW8ud29yZHByZXNzLmNvbS8yMDA5LzA 2LzIzL2d1aWRhLWFsbGF0dGl2YXppb25lLWRlbGxlLWZ1bnppb 25hbGl0YS1wZXItbW9kaWZpY2FyZS1pLXZpZGVvLXN1bGxpcGh vbmUtZWRnZS1lLTNnLw%7E%7E) on iSpazio for unlocking video editing and other goodie on the 3G and EDGE generations. It's in italian but i'm sure google translate will do most of the work for you ;)

Thats for that ispazio link! Can't wait to get home now!

Edit: :( It kills the camera and you have to manually add the video to edit :( Still no MMS on the 2G.

If I understand this correctly for each iPhone in existence a unique img3 is generated which has to be signed by the Apple server. You know the file before it has been signed and after. If you would collect this data for each iPhone, you would get an enormous database of unsigned and corresponding signed files. Would it be possible to crack Apple's signature key using this database?

Wow! Good Work! I just hope that when the iPod Touch 3rd Gen comes out, it won't have too many signature checks to bypass in order for a jailbreak to be created. Apple is smartening up...and i don't like it.

wow nice cant wait to see this be fully functional, another apple device to add the list

Jeez! My head is spinning from all the Apple news!

i feel your pain.

WOW that was quick!

That was indeed fast. But I doubt we'll see a full fledged jailbreak anytime soon. If it does, I do see it being called purplesn0w for some reason. We're running out of colors.

is it wrong to look at this and have a little cheesey grin on my face cause it was done under windows and not a mac for once hehehe

maybe tartansn0w :P

Even though this was amazing work done by geohot, this probably means the jailbreak will still take awhile. Great job though geohot!

no sn0w in summer

ahah classic

Wow. Apple got 0wned.

Does that ECID stuff apply to all iphones or just the 3GS? Ether way as long as we have the hardware exploits (pwnage) ECID does not really matter. Thats what I got from the post anyway.It applies to just the 3GS, so far anyway.
ECID is still relevant, even if you have a jailbreak, because you cannot downgrade if you are on a stock firmware and do not have a decrypted copy of the images.

A bad example would be if you were jailbroken, which may rely on an exploit in the 3.0 7A341 iBoot.
If your phone came stock 3.0.1 or you updated to a stock 3.0.1, you would (in theory) not be able to downgrade to 3.0 again without a decrypted copy of your images.
So, if your phone came 3.0 stock and you jailbroke it, then updated to stock 3.0.1 without a dump of your images, you're potentially stuck.
If you bought a phone with 3.0.1 on it and the bug was fixed (this is of course, assuming it only exists in the 3.0 7A341 iBoot), you were done when you purchased the phone.

Other potentially dangerous stuff is SEPO, which Apple could potentially use in tandem with different batches of devices.
Say from week X to week Y have a vulnerability (because they shipped with a vulnerable firmware), the next batch, week Z and week A, could be altered to have an updated epoch.
If a vulnerable image (say an image from the current firmware, 7A341) has a different epoch (one older than the epoch defined on the phone), the image won't run.

Nothing else has to be updated really, just the epoch needs to be changed.
This means no new bootrom has to be shipped.

I do not know where the epoch information is stored (I assume in the NOR), but it should be easy to update, since there are already two different values for the iPod 2G.
Remember the whole 2.1.1 iBSS not liking newer devices?
I believe that whole fiasco may have been caused by the new epoch, but this hasn't been explicitly stated by any Dev Team member.

If I understand this correctly for each iPhone in existence a unique img3 is generated which has to be signed by the Apple server. You know the file before it has been signed and after. If you would collect this data for each iPhone, you would get an enormous database of unsigned and corresponding signed files. Would it be possible to crack Apple's signature key using this database?I don't know if brute force is really an acceptable route, since I assume Apple would not be dumb enough to use a key that weak.
The whole server thing kind of seems weird to me, because that means the phone relies on Apple's servers, which is somewhat dumb.
It would make a lot more sense if the process was done on-device and the image was modified by iTunes, but there are little details on the whole process.
Hopefully we'll see more details emerge soon enough.

I don't know if brute force is really an acceptable route, since I assume Apple would not be dumb enough to use a key that weak.

We could start a distributed computing project like seti@home to crack Apple's key. :D

The whole server thing kind of seems weird to me, because that means the phone relies on Apple's servers, which is somewhat dumb.
It would make a lot more sense if the process was done on-device and the image was modified by iTunes, but there are little details on the whole process.

They need to sign the modified img3 somehow. If they do it on-device they have to somehow store their precious key on the device. And they are probably too afraid that someone might find a way to get to this key.

We could start a distributed computing project like seti@home to crack Apple's key. :D



They need to sign the modified img3 somehow. If they do it on-device they have to somehow store their precious key on the device. And they are probably too afraid that someone might find a way to get to this key.Well, by your logic, we would have already extracted both the GID and UID keys from each device.
However, we haven't and probably won't ever.

They cannot be brute forced and they haven't be obtained from the phone through any type of attack so far, so they probably won't be any time soon.

Pwnd! iPhone 3GS jailbreak soon...? :)

It applies to just the 3GS, so far anyway.
ECID is still relevant, even if you have a jailbreak, because you cannot downgrade if you are on a stock firmware and do not have a decrypted copy of the images.

A bad example would be if you were jailbroken, which may rely on an exploit in the 3.0 7A341 iBoot.
If your phone came stock 3.0.1 or you updated to a stock 3.0.1, you would (in theory) not be able to downgrade to 3.0 again without a decrypted copy of your images.
So, if your phone came 3.0 stock and you jailbroke it, then updated to stock 3.0.1 without a dump of your images, you're potentially stuck.
If you bought a phone with 3.0.1 on it and the bug was fixed (this is of course, assuming it only exists in the 3.0 7A341 iBoot), you were done when you purchased the phone.

Other potentially dangerous stuff is SEPO, which Apple could potentially use in tandem with different batches of devices.
Say from week X to week Y have a vulnerability (because they shipped with a vulnerable firmware), the next batch, week Z and week A, could be altered to have an updated epoch.
If a vulnerable image (say an image from the current firmware, 7A341) has a different epoch (one older than the epoch defined on the phone), the image won't run.

Nothing else has to be updated really, just the epoch needs to be changed.
This means no new bootrom has to be shipped.

I do not know where the epoch information is stored (I assume in the NOR), but it should be easy to update, since there are already two different values for the iPod 2G.
Remember the whole 2.1.1 iBSS not liking newer devices?
I believe that whole fiasco may have been caused by the new epoch, but this hasn't been explicitly stated by any Dev Team member.

I don't know if brute force is really an acceptable route, since I assume Apple would not be dumb enough to use a key that weak.
The whole server thing kind of seems weird to me, because that means the phone relies on Apple's servers, which is somewhat dumb.
It would make a lot more sense if the process was done on-device and the image was modified by iTunes, but there are little details on the whole process.
Hopefully we'll see more details emerge soon enough.

How can I get a usb dump of a restore? Just to be safe. This is not good :(

wow they already did this? in a couple days? it took the ipod touch 2g like 5 months to get a tethered jailbreak haha. C'mon apple learn from your mistakes!

How can I get a usb dump of a restore? Just to be safe. This is not good :(I have no idea yet, I assume geohot or someone else will post instructions if it is really required.

oh well. Guess I'll dig around. Should be out there somewhere.

Well, by your logic, we would have already extracted both the GID and UID keys from each device.
However, we haven't and probably won't ever.

They cannot be brute forced and they haven't be obtained from the phone through any type of attack so far, so they probably won't be any time soon.

Just because it has not been done yet, does not mean it is impossible. Dunno what the GID and UID keys are for (and I am too lazy to search), but I guess Apple's signing key would be a tad more important and thus someone might be motivated enough to try even if it means trashing your iPhone by hardware modding it.

Just because it has not been done yet, does not mean it is impossible. Dunno what the GID and UID keys are for (and I am too lazy to search), but I guess Apple's signing key would be a tad more important and thus someone might be motivated enough to try even if it means trashing your iPhone by hardware modding it.Well, they aren't stored in memory and aren't exactly lying there on a chip, ready to be dumped.
The situation is comparable to consoles; they use lots of different encryption keys, but they aren't all dumped because most of them aren't possible to dump by feasible means.

And, maybe you should do some research.
The GID and UID keys aren't just some stupid keys that are barely used; they GID key is a universal key (well, universally the same for each processor) used to encrypt various things, namely images.
Now, if there are three processors and they each have a GID key, why hasn't each been dumped so there is no need to use the AES engine anymore?
Oh yeah, because it's not exactly easy (and likely impossible altogether).

The UID key is used to encrypt things on the NOR and is unique to your device.
Obviously, this isn't published anywhere because it's unique.

There are other encryption keys, like the NCK, which haven't been brute forced either.
The NCK is used to encrypt an unlock token, which is then sent by Apple through iTunes to perform a valid unlock.
Now, you'd think this would be brute forced, since it's only 15 characters?
Wrong.

Instead, vulnerabilities are found within the baseband as a workaround, because the NCK cannot be brute forced, just like many other encryption keys.

wow they already did this? in a couple days? it took the ipod touch 2g like 5 months to get a tethered jailbreak haha. C'mon apple learn from your mistakes!

You're aware that the Dev Team hadn't been looking at the iPod touch for the first 5 months it was out, right?

You're aware that the Dev Team hadn't been looking at the iPod touch for the first 5 months it was out, right?

Yeah but this guy isn't in the dev team. And other people were trying to find a jailbreak for the ipod touch 2g and they aren't a member of the dev team.

I could have sworn geohot was on the dev team...what do I know his name from?

I could have sworn geohot was on the dev team...what do I know his name from?

He was the first person ever to have an hardware unlocked iPhone

http://en.wikipedia.org/wiki/George_Hotz

Well, they aren't stored in memory and aren't exactly lying there on a chip, ready to be dumped.
The situation is comparable to consoles; they use lots of different encryption keys, but they aren't all dumped because most of them aren't possible to dump by feasible means.

If they are stored, they can be read. You would be suprised what people who really understand the electronics behind a device can do.


And, maybe you should do some research.
The GID and UID keys aren't just some stupid keys that are barely used; they GID key is a universal key (well, universally the same for each processor) used to encrypt various things, namely images.
Now, if there are three processors and they each have a GID key, why hasn't each been dumped so there is no need to use the AES engine anymore?
Oh yeah, because it's not exactly easy (and likely impossible altogether).

The UID key is used to encrypt things on the NOR and is unique to your device.
Obviously, this isn't published anywhere because it's unique.

That proves my point that Apple's signature key is more important. As you say the GID is for encrypting images and getting it would not be worth the effort since it is not really necessary. The UID is unique for each device, so it is also clearly not worth the effort. On the other hand if one could get the hands on Apple's key this would be a disaster for Apple since people could sign everything they want which would make jb trivial.

Ramdisk key added to blog (http://outgoing.ipodtouchfans.com/?d=aHR0cDovL2lwaG9uZWp0YWcuYmxvZ3Nwb3QuY29tLw%7E%7 E)

and vfdecrypt key is on first page of thread :D

looks like a jailbreak is not far off...

How does it feel apple lolololololololol
feel the shame

You're aware that the Dev Team hadn't been looking at the iPod touch for the first 5 months it was out, right?

That's because there was only one guy on the team who had one. And he was lazy, a Windows user, and could barely code.

If they are stored, they can be read. You would be suprised what people who really understand the electronics behind a device can do.




That proves my point that Apple's signature key is more important. As you say the GID is for encrypting images and getting it would not be worth the effort since it is not really necessary. The UID is unique for each device, so it is also clearly not worth the effort. On the other hand if one could get the hands on Apple's key this would be a disaster for Apple since people could sign everything they want which would make jb trivial.The GID key is incredibly important, and even an understanding of things will not allow you to do everything.
Read a discussion between people who actually know what they're talking about here (http://www.theiphonewiki.com/wiki/index.php?title=Talk:GID-key).

Yeah but this guy isn't in the dev team. And other people were trying to find a jailbreak for the ipod touch 2g and they aren't a member of the dev team.

exactly, http://blog.nj.com/ledgerupdates/2007/08/_george_hotz_pale.html
this guys cool.

check the comments lolz.

The GID key is incredibly important

But not essential, since there appearently is a workaround, because we all have jailbroken devices.

and even an understanding of things will not allow you to do everything. Read a discussion between people who actually know what they're talking about here (http://www.theiphonewiki.com/wiki/index.php?title=Talk:GID-key).

This discussion just shows that they do not know everything. The conclusion that therefore it is impossible is faulty logic.

They have the bootrom!!! Good news.

MuscleNerd
@mikehindman not to get anyone's hopes up too early, but it's looking like ultrasn0w will be multi-platform :)
about 2 hours ago from web in reply to mikehindman

The MIU was no match against you @planetbeing! Great job on helping @geohot expose the GS bootrom. And what goodness it has!
about 2 hours ago from web