Builder AU tracked down the first person outside of Apple to get their hands on the inner workings of the iPhone and asked him via e-mail the what, the where and the why of hacking the iPhone.
By day he’s your average American teen. Just two weeks out of high school, he saved money from his part-time job fixing computers and waited three hours outside an AT&T store to buy an iPhone. By night, he leads the vanguard of a growing community of iPhone hackers under the name geohot.
Last Tuesday we brought you news that hackers from the full-disclosure mailing list had found root passwords in a system restore image. Over the weekend Jon Lech Johansen, also known as DVD-Jon, managed to activate the non-phone functions without an AT&T account, and in the last 24 hours a community of iPhone hackers running out of the iPhone Dev Wiki (link omitted at the request of the Web site authors due to bandwidth concerns) have become the first to gain an interactive shell into the smartphone.
This evening geohot took some time out from his busy reverse engineering schedule to shed some light on the process:
We already know how to upload files to the phone, move those files around, and run those files.
Builder AU: Now as I understand it, you’ve got a serial console to the bootloader without having to modify the iPhone hardware. There are hardware modifications to the dock, however. Could you tell me a little bit about the process?
Sure, the serial pinouts are the same as the ones used in the iPod. I stayed up all night taking apart my dock and soldering super-small wires to the pins. With a quick homebrew level converter circuit and a USB-serial converter, the hardware was done. Our group speculated the night before that some software flags would have to be set. Someone sent me some environment variables (debug-uarts) to set and sure enough they enabled serial.
Is this procedure within the reach of the average enthusiast?
The enthusiast with money can buy breakout boards for the iPod dock connector and pre-built level converter circuits. Modifying the dock the way I did was very difficult. The soldering was near impossible and I solder QFP and SSOP by hand.
What does the shell actually get us?
Not as much as you’d think. First of all, it only connects to the bootloader, which doesn’t touch user mode. All the “cool” commands, like writing to the radio, give “Permission Denied” errors. The bootloader checks a hardware register to generate that error, and the only way I see around is JTAG. We can’t patch the bootloader because it is signed.
What is the significance of the radio module? What does it control?
The radio module controls the subsidy lock, which is the lock in to one carrier — in this case AT&T. Access to the radio is what we need to unlock the phone to use other carriers.
What’s the plan for hacking the iPhone?
Right now we are trying to compile a working toolchain. The iPhone is the only device to use Mach-O and ARM. Some things support Mach-O i386. Some things support ELF ARM. We need to merge them together. We already know how to upload files to the phone, move those files around, and run those files. We want to write a program which can send the unlock codes right to the radio.
If you don’t have permissions to run commands in the shell, does this get the community any further than the root passwords that were discovered last week?
The root passwords discovered last week are completely useless so far. This shell is to the bootloader, not to user mode where those passwords are stored.
I’d bet its done within two weeks [on third-party applications].
How close are we to getting third-party applications on the iPhone?
Programs … we’re close. Applications involve a good understanding of the framework. I am personally not a Mac coder, so I don’t understand everything involved. But I’d bet its done within two weeks.
Does having access to the bootloader get us any closer to allowing the iPhone to work on a non-AT&T network?
Only if we find a way around the permission denied errors.
Are you worried at all that Apple may pursue you for hacking their product? How about DMCA violations?
A law was passed last November to allow the unlocking of cell phones. So on that front we are fine. We have been careful not to post online any dumps of firmware and haven’t made any modifications to the MobileDevice framework/dll, so no copyrights have been violated.
What’s the latest progress on unlocking the iPhone?
We basically have full filesystem access. I’d really like to get ssh or something similar running. The main thing standing in our way now is the Mach-O ARM toolchain.
What motivates you to do this?
I need a summer project 🙂 And wouldn’t I look cool walking around with a T-Mobile iPhone?
Do you think it was a good or a smart idea for Apple not to provide open access the iPhone?
It gave me something to play with 🙂 Although I hope they come forward after this is over and the phone is unlocked with all the APIs.
Anything else you’d like to add?
I’d just like to say I’ve been working with some incredibly smart people, and they have really taught me a lot. I know this sounds easy, but it took us days of background work to make possible.