iPhone 2.1 Hacking – Getting Started

The iPhone 2.1 hacking series is going to focus on cracking open the iPhone and using it to learn programming, UNIX and networking.  To write this article I’m using a first generation iPhone with a fresh install of the 2.1 firmware and a MacBook Pro.

Jailbreaking 2.1

I’m assuming you already have an iPhone with the 2.1 firmware installed.  If you haven’t upgraded to 2.1 you can do so by following these instructions on Apple’s website. 

Now that we are all up to date with 2.1 we need to jailbreak our iPhones.  I used the iPhone Dev Team’s PwnageTool for 2.1 Firmware.  After you start PwnageTool you are presented with a couple of options Simple mode, Export mode and the type of device you have.

I can’t ever resist Expert mode.  The next screen will search your system for firmware bundles and give you a list to choose from. 

The next pane gives you a list of areas that you can customize. Select General Settings and click next.

Under General Settings I unchecked Active the phone and Enable baseband update.  These settings are for unlocking the phone to use non AT&T sim cards.  I like to bump up the root partition to 2GB to give some breathing room for the OS.

The next screen is Bootneuter settings.  Bootneuter is also for non AT&T sim cards.  I unchecked the Neuter bootloader box on this screen.

The next screen allows you to install Cydia apps.  I decided to install MobileTerminal, Bourne-Again SHell, Cydia Installer and OpenSSH.  We will install more applications with Cydia later.

The next page is Custom packages settings.  I choose to install Cydia and Installer.app.

The next screen is where you can set a custom logo.  I’ve never been able to get this to work without changing the default logos in the PwnageTool.app package itself.

The next screen takes you back to the main menu.  At this point you should be ready to select  build then click on the next button.

The next step asks where you want to save your custom firmware, I saved mine to the desktop.  After that PwnageTool starts creating a custom IPSW file.  At some point it will ask you for your system password.

After the IPSW (iPhone/iPod Firmware Update File) file has been created you will be asked if your phone has been Pwned before.  I said no because I have fresh 2.1 firmware.

Next you will need to enter DFU (Device Firmware Update) mode.  Follow the instructions on screen.  The first time it took me a couple of tries.

Now you should be able to restore your phone with the hacked IPSW.  To use a custom IPSW in iTunes option-click the Restore button in itunes.  It should open a dialog to let you chose your hacked IPSW file.  After a few minutes iTunes will show a prompt stating that the iPhone has been restored to factory settings and is restarting.  After the restart iTunes will direct you to a “Set Up Your iPhone” page.  Here you will choose “Setup as a new iPhone”.  The first sync will bring back all of your settings and AppStore apps.

Installing UNIX, Developer and Networking Tools

At this point you should have a fully functional jailbroken iPhone.  The first order of business is to check out Cydia and install some additional goodies.  When you start Cydia for the first time it gives you three different modes.  Choose the “developer” mode.  This will give you unfiltered access to all of Cydia’s packages.  There are usually some updates to run, you can go to the Changes tab to upgrade any out of date applications.

Next lets install some applications from Cydia.  Before you get started go to the Settings application, under General turn off auto-lock.  If your phone locks during a software install the install may be terminated prematurely. Here is the list of apps I like to install  to UNIX up and get some development tools.  Some of these seem to come installed by default.

Administration

• adv-cmds
• Darwin Tools
• lsof
• shell-cmds
• Sudo
• system-cmds
• top

Archiving

• bzip2
• gzip
• Tape Archive
• upzip
• zip

Data Storage

• Berkely DB
• SQLite v3

Development

• Bison
• Csu
• Darwin CC Tools
• Diff Utilities
• Flex
• GNU C Compiler
• GNU Debugger
• indent
• Make
• patch

Networking

• inetutils  (includes ftp, telnet, rsh, rlogin, tftp)
• lighttpd
• links
• Lynx
• My TraceRoute
• network-cmds
• nmap
• OpenSSH
• vsftpd
• wget
• whois

Packaging

• APT
• Debian Packager
• Scripting
• iPhone/Python
• Ruby

Security

• OpenSSL

System

• ARM Floating Point
• Base Structure
• gettext

Terminal Support

• MobileTerminal

Text Editors

• nano
• Vi IMproved

Utilities

• Core Utilities (inlcude: chgrp, chown, chmod, cp, dd, df, dir, du, ln, ls, mkdir, mkfifo, mknod, mv, rm, cat, cksum, head, tail, md5sum, nl, oc, pr, tsort, join, wc, tac, paste, basename, chroot, date, dirname, echo, env, groups, hostname, nice, nohup, printf, sleep etc.)
• Find Utilities (includes find, locate, xargs)
• Gawk
• Grep
• less
• sed

Securing Your iPhone

Despite all of Apple’s efforts to secure the iPhone there are some horrifying insecurities.  They are breezed over by the idea that no one should be getting into the guts of the iPhone or logging into it’s UNIX system.  The biggie that we need to take care of right away is changing the passwords for the root and mobile users.  Every iPhone has the same passwords for these two users, alpine.  Now that we’ve installed the networking services OpenSSH and vsftpd we’ve given people a way into our systems, via FTP or SSH a malicious hacker could login and steal or delete your data if they knew your password.  Now they do, alpine.

On iPhone and all other UNIX systems you can change your password with the passwd command.  Go to MobileTerminal, you will automatically be logged in as the mobile user.  At the prompt type passwd and hit return.

You will have to type the old password, alpine, and your new password twice.

Now we need to change the root user’s password.  To change the password for the root user type su and hit enter.  You will need to login again using alpine.  Now you can repeat the same steps as before using the passwd command.  This time you don’t have to type the old password, just the new password.

Type exit to log out of the root account.

Controlling Services

Now that we’ve installed ssh and ftp and secured our accounts we can go one step further by enabling these services only when we want to use them.  To turn our services on and off we’re going to use the launchctl command.   To start vsftpd  on iPhone use the following command:

launchctl load /System/Library/LaunchDaemons/com.bigboss.vsftpd.Startup.plist 

To stop vsftpd on iPhone use the following command:

launchctl unload /System/Library/LaunchDaemons/com.bigboss.vsftpd.Startup.plist 

To start sshd  on iPhone use the following command:

launchctl load /Library/LaunchDaemons/com.openssh.sshd.plist

To stop sshd  on iPhone use the following command:

launchctl unload /Library/LaunchDaemons/com.openssh.sshd.plist

This is a lot to type in MobileTerminal using the little iPhone keyboard.  If sshd is running you can use ssh to to login from Terminal.  Connect to a wireless network on your iPhone and check your ip address.

After you get your ip open terminal and type the following command:

ssh root@192.168.0.4

You will be prompted about the authenticity of the host, say yes.  The RSA key fingerprint gets saved in ~/.ssh/known_hosts and you will be prompted every time your iPhone gets a new ip address.

You are now logged into your iPhone and can run shell commands remotely.  You can start or stop vsftpd or stop sshd from the command line remotely.  Take note that when you disable sshd remotely your login isn’t terminated.  After you exit your session you will not be able to log back in unless you enable sshd from MobileTerminal.

Tags: Hacking, iPhone, Jailbreak