Reverse engineers are now able to activate an iPhone without an AT&T account and can gain shell access via a serial connection.
This follows last week’s discovery of the iPhone’s root password in a system recovery image — all hacks occurred within nine days since the iPhone was released in the US.
John Lech Johansen announced on his blog that he has developed a method for activating an iPhone without an account from telecommunications carrier AT&T. After the hack, most of the iPhone’s functions work — for example, the wireless capabilities and music playback feature — but it can’t be used as a phone.
The hack involves editing the machine code of iTunes using a hex editor and changing the PC’s
hosts file to trick the iPhone into activating locally without connecting to an apple server. The
hosts file controls to which location a domain name (such as www.builderau.com.au) points to on the Internet.
Currently the hack only works under Windows, as it requires the .NET 2.0 framework. The process will work on a Macintosh using Parallels, however.
Dicussion has sprung up around the unoffical hub of iPhone hacking, the hackint0sh.org forums. Reports from community enthusiasts are positive about the results of the hack, speculating that it may become a major step on the road to using an iPhone on an non-AT&T network, which would allow its use outside the United States.
In a second hack, enterprising hackers have gained access to an interactive shell through a serial connection. This allows terminal access to the phone’s bootloader, which controls the software image that is loaded when the iPhone starts up. The process involves hand soldering the iPhone dock and exposing a serial port, presumably intended for debugging.
This breakthrough is by no means the end of the road, one of the hackers working on the reverse engineering process, going by the name geohot (read a full interview with geohot here), posted on the iPhone Dev Wiki: “The serial interface isn’t really as great as it sounds … We know how to unlock the phone. Unfortunately, the commands needed gave “Permission Denied” errors.”
The hack resulted in a list of the commands the iPhone will accept through the interactive shell — should the permission issue be bypassed. The commands give access to the iPhone’s memory as well as allowing the booting of a custom software image or running of a custom script. This will allow unrestricted access to the device.
Another iPhone hacker, who wished only to be identified as ‘gj’, updated Builder AU on the current progress: “Initially we thought the serial shell was a big breakthrough because we had hoped it would let us write directly to the radio [module]. We know that once we can do that there is a very good chance we can unlock the phone. Unfortunately the boot loader (which is what’s accessed by the serial shell, at least partially) is all “permission denied” … I’m not sure if it’s a dead end or not, it is a valuable capability on a number of fronts but I can’t really tell you if it will bring us where we want.”
Update:The iPhone Dev Wiki team reports that “ringtones would be a *trivial* thing to do now”, although “The bootloader is basically a dead end … Fortunately we have another in.”