1. nyteschayde's Avatar
    So, I have a 3G and I just got a 3GS today. Luckily the 3GS has 3.01. Unluckily I jail broke it before I activated it. I didn't know how to restore it's state so that it would activate correctly and I chose erase all files and reset all settings. This locked it up and causes it to require a restore. Good job Apple. <@#[email protected]#$....>

    Anyhow, the new problem, it seems, is that iTunes phones home to verify if a device should be allowed to use a particular firmware. This of course means no custom firmware and certainly no 3.0(.1) for the 3GS.

    Since I have a more or less bricked phone until I either upgrade to 3.1 or the 3.1 pwnage tool comes out I started thinking.

    1. Redsn0w can transmit files to the iPhone (still). Why couldn't it just deliver the firmware.

    2. Why don't we just patch iTunes to think it got the a-ok from Apple? Is there something missing here? Many cracked applications for computers work in this manner.

    Thoughts?
    2009-09-16 06:22 AM
  2. allen099's Avatar
    So, I have a 3G and I just got a 3GS today. Luckily the 3GS has 3.01. Unluckily I jail broke it before I activated it. I didn't know how to restore it's state so that it would activate correctly and I chose erase all files and reset all settings. This locked it up and causes it to require a restore. Good job Apple. <@#[email protected]#$....>

    Anyhow, the new problem, it seems, is that iTunes phones home to verify if a device should be allowed to use a particular firmware. This of course means no custom firmware and certainly no 3.0(.1) for the 3GS.

    Since I have a more or less bricked phone until I either upgrade to 3.1 or the 3.1 pwnage tool comes out I started thinking.

    1. Redsn0w can transmit files to the iPhone (still). Why couldn't it just deliver the firmware.

    2. Why don't we just patch iTunes to think it got the a-ok from Apple? Is there something missing here? Many cracked applications for computers work in this manner.

    Thoughts?
    The exploit that redsn0w uses has been patched up in OS 3.1 from my understanding.

    About your second point, read the sticky and the link in the sticky in this particular topic's forum. Saurik has done just that...with a little modification on your end, iTunes will be routed to Saurik's server to "fool" iTunes. There is a catch though, and that has to do with Apple signing the OSes. Read that sticky and all shall be unveiled :-)
    2009-09-16 06:30 AM
  3. nyteschayde's Avatar
    Right, I know about HSSH stuff. The problem is that me and *many* others didn't get our IDs on the cydia server. Also he didn't patch iTunes, he recommends that you change your hosts file to trick itunes into looking at his server instead.

    I was thinking of a more proper patch to the binary itself that just made it always see sunshine and smiles in regards to a firmware.

    As for #1, since I haven't moved to 3.1 yet, redsn0w can still use the existing 3.0(.1) exploit to access the phones hardware and software. Therefore it could, technically, I think, transfer the firmware.

    My guess as to why there isn't a non-iTunes firmware updater is that in the past we've always been able to make it work. Perhaps there are some files we don't know about but if redsn0w can still send files (and it can, but since it patches rather then replaces all the files it fails) then it should be able to do the full job that iTunes does, right?

    I don't know how the 3.1 exploit works, but my feeling is that it would be good if Apple wasn't made aware anytime soon.

    Also, would an older version of iTunes work? Pre 8.2 or whenever they introduced the phone home ability?
    2009-09-16 06:36 AM
  4. allen099's Avatar
    Right, I know about HSSH stuff. The problem is that me and *many* others didn't get our IDs on the cydia server. Also he didn't patch iTunes, he recommends that you change your hosts file to trick itunes into looking at his server instead.

    I was thinking of a more proper patch to the binary itself that just made it always see sunshine and smiles in regards to a firmware.

    As for #1, since I haven't moved to 3.1 yet, redsn0w can still use the existing 3.0(.1) exploit to access the phones hardware and software. Therefore it could, technically, I think, transfer the firmware.

    My guess as to why there isn't a non-iTunes firmware updater is that in the past we've always been able to make it work. Perhaps there are some files we don't know about but if redsn0w can still send files (and it can, but since it patches rather then replaces all the files it fails) then it should be able to do the full job that iTunes does, right?

    I don't know how the 3.1 exploit works, but my feeling is that it would be good if Apple wasn't made aware anytime soon.

    Also, would an older version of iTunes work? Pre 8.2 or whenever they introduced the phone home ability?
    I'm in the same boat as you...3.0.1 w/o the ibec/ibss files. I actually tried downloading an 8.2 pre-release for both Mac and Windows, and neither worked while iPhone was in DFU. This was the first version that phoned home, and 8.1.x won't work with OS 3.0. We're kinda screwed in that regard. Well, according to Saurik's post though, we should be able to get our personalized files up to his server soon hopefully. These guys are incredible though, to help the community in this way. It's greatly appreciated.
    2009-09-16 06:43 AM
  5. nyteschayde's Avatar
    Yeah I totally agree. I still think there is something we could do in patching the iTunes binary. My assembly is really poor but basically there should be a JUMP operation when the function is called to phone home. Many older hacks would change the JUMP to a NOOP (no operation) and the program would simply continue.

    Someone who assembly programs could state this better than me. As long as the phone is the only check, modifying iTunes should work fine. I say should because I haven't tried it. I tried attaching Visual Studio to the iTunes process but then I epically failed because I couldn't figure out how to stop the programs execution. If you can't do that you can't find out where to change the binary.

    It could also be that this old trick no longer works but I am not sure.
    2009-09-16 06:48 AM
  6. xsemaphorex's Avatar
    Right.

    Well, patching iTunes would be great... but here's the problem. iTunes is only the vehicle, if you will. Very little actually happens *IN* iTunes. Most of the magic happens in the shiny black (or white) brick that you hold in your hand.

    Example:

    During a restore, you can hack itunes all the fsck you want. It won't do you a darn bit of good. The payload going INTO the iphone is signed, deciphered, and verified *ON* the phone itself. You can send it whatever you want, if you 'hacked' itunes. But the fact is that the actual code that handles the payload sits on the phone and only relatively rudimentary checks are done in iTunes itself.

    However... there is one thing that iTunes does that the phone does not do...
    2009-09-16 06:53 AM
  7. nyteschayde's Avatar
    Has anyone done a diff on the expanded files in a firmware ipsw and the actual exploded file directories on the iphone after a successful restore? What are the binary differences?

    If there is a process responsible for performing this verification on the iphone, (lockdownd?) can it be hacked to ignore? The way I see it we have a couple of problems

    1. Getting the software on the phone
    2. Getting the phone to play nicely with the software installed.

    If #1 requires hacking iTunes (so restores work) and #2 requires hacking the process (again, I don't know, guessing lockdownd) then would that suffice?
    2009-09-16 07:00 AM
  8. goodman1501's Avatar
    I actually did tried using different version of old itunes 7.5, 8.0, 8.1, 8.11. All these do not connect to Apple signature server to check ECID unfortunately they always stopped at error 1600, 1601. It was definitely USB related errors caused I tried 3 computers and many different USB ports, still gave consistent results.

    The other thing I tried was to search where Itunes 8.2 stores its 3.1 ipsw after signature checked. It downloaded to a dir inside itunes with the correct iphone2.1_3.1.....ipsw filename. I put in the same directory a 3.0 ipsw, deleted the 3.1 one, then renamed the 3.0 filename to 3.1 one. You know I tried to cheat itunes 8.2 that this was the one it downloaded before in the last check. I know that if itunes knows the 3.1 FW is there, it does not need to download again, it just does the ECID check. I started the restore, itunes checked mine was a 3.1 3GS, unfortunately it once again started to download a new 3.1 !!!! it is just that smart ! I think it checked the content of the ipsw I guess to confirm it is the real correct one.
    2009-09-16 12:09 PM
  9. nyteschayde's Avatar
    It may be that it's checking the for some identifier string within the ipsw. If we're really really lucky you'd be able to modify the identifier strings within the 3.0 to reflect that it's 3.1. I am guessing, however, that it also does or compares some sort of MD5 hash or checksum. If that is true then it's much harder. If however it just reads the Restore.plist file's version we may be in luck.
    2009-09-16 08:11 PM
  10. lilfellabob's Avatar
    hmm i dont know a whole lot about any of this but might i say u guys are having some great ideas.. the thought that we may be able to trick itunes into thinking a 3.0 ipsw is a 3.1 is a great idea! i think it is likely to be possible since custom firmwares can have the older baseband retained.. what if instead of mod'ing the baseband, mod the ID of it!
    2009-09-24 08:34 AM
LINK TO POST COPIED TO CLIPBOARD