HACKING THE iPHONE


I am republishing here an article i’ve got somewhere (i forgot where) on hacking the wonderful Iphone of Apple.

I am also putting a link to the Iphone Hacking Kit which is needed in following this step-by-step procedure in hacking the Iphone.

Here it is….

The iPhone Hacking Kit, step by step

PLEASE NOTE THESE TECHNIQUES WERE POSTED IN AUGUST 2007 AND ARE ONLY APPLICABLE TO 1.0 VERSION IPHONES.

clip_image001For better or worse, Apple designed the iPhone to be a completely closed system. That is, you can’t add new applications to it, and even some seemingly “normal” cell phone features – like the ability to add custom ring tones – are locked up. Or are they?

Thanks to an extremely well-organized group of very talented hackers, you can crack into your iPhone and make all sorts of changes and modifications. The iPhone hacking effort has been a Herculean task, but the progress that’s been made in a reasonably short amount of time is very impressive.

In the month since the iPhone shipped, hackers have released code that allows you to perform all sorts of modifications, from installing custom ringtones, to adding new applications such as a screen capture program, and a Nintendo emulator.

Hacking the iPhone is not a complicated process, but it does take time, usually 30 to 45 minutes, and some special software and bits of code, which we’ve gathered up for you. Best of all, once your phone is hacked, you can very easily install additional third party apps as they’re released. In this article, we’ll walk through all of the steps required to hack your iPhone and install third party applications and options.

(If you want to know the story behind this story, read Christopher Breen’s blog entry at Macworld.com.)

Detailed (and we’re not kidding) instructions after the jump. If you’re faint of heart, begone!

Why should you hack your phone?

Because it’s there.

For the most part, there’s not a huge reason to hack your iPhone yet. Adding custom ringtones is probably the best reason to do a little iPhone hacking. Capturing screenshots of your iPhone is another good excuse to hack it (you’ll see screenshot examples later).

But currently, there’s not a “killer app” for iPhone hacking. The Nintendo emulator is cool-looking, but is somewhat unplayable due to the iPhone’s lack of real buttons. At this point, the only real reasons to hack your iPhone are:

  • It’s fun. You get to learn some stuff about the inside of your phone, and possibly learn some cool Unix stuff along the way.
  • It will make your iPhone look different and unique. Once you have a couple of additional apps on there, other iPhone users will take pause when they see your phone.
  • You’ll be prepared for future third-party releases. Once your iPhone is hacked, it’s very simple to add additional applications as they become available. Development is proceeding very quickly – the Nintendo emulator was available just a week after the iPhone hacker development tools were posted.

Hacking your iPhone requires an Intel Mac, a set of files and the iPhone Hacking Kit, which you can download here, and some time. Unzip the iPhone Hacking Kit folder and place it on your Desktop. It must be on the Desktop for these instructions to work as they are printed here. Finally, your Mac and iPhone need to be connected to the same Wi-Fi network.

Before we begin, though, we must issue the obligatory warnings: it is theoretically possible to screw up your phone. However, at any time, you can use iTunes to restore your phone to its original state, so you don’t have to worry about completely breaking your phone. The worst that will happen is that you’ll lose some time. That said, if taking things apart makes you nervous and uncomfortable, then what we’re going to do here probably isn’t for you.

We’ll be performing most of our hacks through the Terminal application on your Mac. Just type carefully and proceed slowly and you’ll be fine. And don’t worry, a single typo will not trash your whole phone.

What we’re going to do

Before we get started, let’s take a high-level look at exactly what we mean when we say we’re going to “hack the iPhone.” Our goal is to open up a communications channel that will let us add new, executable applications to the iPhone. The iPhone is a communications device, so one would think that it would be easy to communicate with it, but because Apple designed it to be unmodifiable, finding a way to talk directly to the phone is not simple.

Yes, the phone has a Wi-Fi connection, a cellular radio, and Bluetooth, but it doesn’t actually include any software that can use these features for file transfer, and there’s no way to hack into any of those particular connections.

However, it does include a serial port and a cable, and it knows how to talk to iTunes through this connection. This, then, will be the initial method for talking to the iPhone. Thanks to some clever software, we’ll begin by breaking the phone out of the “jail” that Apple has put it in.

Jailbreaking works by intercepting the communication that is supposed to happen between the iPhone and iTunes. Once intercepted, a channel is open to the computer’s OS, and we can use that channel to install software. However, this channel requires a direct connection to your Mac (through the iPhone’s USB cable) and while your phone is “jailbroken” you can’t sync. As such, it’s not a viable long-term solution for hacking the phone.

So, our first task after the phone has been broken open will be to install an SSH tool. SSH stands for “secure shell” and is a standard Unix tool for issuing commands to any computer that’s running Unix. And, since your iPhone is built on an OS X variant, it’s a Unix computer.

Next we’ll install some additional utilities, including some file transfer utilities, and then finally we’ll put the phone back in jail. That is, we’ll return it to its normal state that allows it to sync with iTunes through its serial cable. However, with the SSH and file transfer utilities installed on the phone, you’ll now be able to talk to the phone from any Mac terminal window via the phone’s Wifi connection – just as you can talk to any other Mac or Unix machine this way. We’ll use this channel to install a Terminal application and screen shot utility.

Let’s get started.

Get out of jail free

In the iPhone Hacking Kit that you downloaded, you should find an installer for iFuntastic. Double-click this installer to install iFuntastic in your Applications folder. This is the program we will use to jailbreak your phone.

Once it’s installed, do the following:

1. Reboot your Mac, just to be safe. You don’t want iFuntastic crashing during this process.

2. Make sure your iPhone is on, then plug it into your Mac using the usual cable.

3. After iTunes launches, quit it.

4. Double-click iFuntastic to launch it.

5. On the left side of the iFuntastic window there is a button called Prepare. Press it now.

6. Click the Jailbreak button at the bottom of the window.

7. On the next page are six steps. Follow them very closely.

8. If all goes well, you will see this page:
clip_image002

If the jailbreak fails, don’t panic, just try it again until it works.

9. Now hide iFuntastic by pressing Command-H. We’ll be returning to it later.

Your iPhone won’t look or function any differently once it’s out of jail. The only change is that when you plug it in it won’t sync with iTunes. Don’t worry, we’ll re-jail it when we’re finished to get it back to normal.

Now we’re ready to exploit our newfound connection to our phone.

Not your average bear

As mentioned earlier, our ultimate goal is to end up with an iPhone that has software on it that can communicate with our Mac via a normal Wifi connection. With the phone jailbroken and tethered to the Mac, we have a communications channel which we will now use to install an SSH application called Dropbear. From here on out we’ll be working extensively with the Terminal application, so open it now. By default, it’s located in Applications>Utilities.

Once Terminal is launched, you need to change to the iPhone Hacking Kit directory. In terminal type cd followed by a space, and then drag the iPhone Hacking Kit folder into the terminal window. Then press Return. Your terminal window should now say something like:

Your Mac:~/Desktop/iPhone Hacking Kit yourmac$

Located in the iPhone Hacking Kit folder is a copy of iPHUC, the iPhone Utility Client. Run it now by typing

./iPHUC

and then pressing return.

You should see:

>> By The iPhoneDev Team: nightwatch geohot ixtli warren nall mjc operator
initPrivateFunctions: this is still not clean.
Architecture: i386
AMDeviceNotificationSubscribe: 0
CFRunLoop: Waiting for iPhone.
notification: iPhone attached.
AMDeviceConnect: 0
AMDeviceIsPaired: 1
AMDeviceValidatePairing: 0
AMDeviceStartSession: 0
AMDeviceStartService AFC: 0
AFCConnectionOpen: 0
AFCPlatformInit: (no retval)
notification: Entering shell in Normal Mode.
shell: Entering loop.
(iPHUC) /:

We are now in a shell that’s talking directly to the iPhone, just like any other type of shell that you might normally run in Terminal. This one, though, knows how to communicate through the jailbreak connection that we’ve established through the serial cable.

Now we need to make one little change to the phone. Do this by typing:

setafc com.apple.afc2

After pressing return, iPHUC might respond with this error:

InvalidResponse
AMDeviceStartService AFC: -402653165
AFCConnectionOpen: 0

If it does, then quit iPHUC by typing exit, then run iPHUC again by typing ./iPHUC.

Now enter setafc com.apple.afc2 again, and press return. You should now see:

AMDeviceStartService AFC: 0
AFCConnectionOpen: 0

If you see the Invalid Response message, quit iPHUC and try again. When things are working, you should see something to the effect of:

AMDeviceStartService AFC: 0
AFCConnectionOpen: 0

Don’t worry about the numbers. In some cases, you might have to actually quit Terminal completely and restart. Keep going until the command completes without the Invalid Response error generating.

To ensure that everything is working properly, type ls and press return. If you’re used to using Terminal, you’ll recognize ls as the List Directory Contents command, and sure enough, you should see a directory listing:

.
..
Applications
Library
System
bin
cores
dev
etc
iTunes_Control
mach
private
sbin
tmp
usr
var

These are the contents of the iPhone’s root directory and as you can see, they look very much like a standard OS X root directory. If you don’t see this directory, quit iPHUC and try again.

Now we need to retrieve two files from the iPhone. Later, we’ll see what these are for.

In the Terminal, enter
getfile /System/Library/LaunchDaemons/com.apple.update.plist com.apple.update.plist.original
and press return. iPHUC should respond with:

remote: /System/Library/LaunchDaemons/com.apple.update.plist
local: com.apple.update.plist.original
AFCFileRefOpen: opening remote path ‘/System/Library/LaunchDaemons/com.apple.update.plist’
AFCFileRefRead: reading 489 bytes into buffer
getfile: Writing file to local path ‘com.apple.update.plist.original’
getfile: Transfer successful.

If you look in your iPhone Hacking Kit folder on your Mac, you should see a new file called com.apple.update.plist.original. This is a copy of a preference file that we just pulled off of the iPhone and renamed.

Now enter getfile /usr/sbin/update update.original and press return.

Again, you should see the Transfer successful message, and another file will appear in your iPhone Hacking Kit folder. This time, we grabbed the update daemon from the iPhone. This is a small application that gets executed when the phone boots. We renamed the daemon update.original when we saved it to the local drive. The reason for all this will become clear shortly.

Now it’s time to put Dropbear, our SSH tool onto the iPhone. Issue the following commands. After each one you should see “Transfer successful”. If you don’t, then double-check your typing and try again. You’ll need to replace [username] with your user name.

Next, enter mkdir /etc/dropbear

This creates a directory called dropbear in the /etc directory.

Using the Putfile command, you’ll need to move several files from your iPhone Hacking Kit onto the iPhone. You’ll do this by typing putfile and pressing space, then dragging and dropping the file from the finder onto a Terminal window, then typing a space, then typing the path of the destination directory.

For example, for the first entry the end result would be:

putfile /[path to hacking kit]/sh /bin/sh

File to Drop

Destination to type

sh

/bin/sh

chmod

/bin/chmod

dropbear

/usr/bin/dropbear

au.asn.ucc.matt.dropbear.plist

/System/Library/LaunchDaemons

dropbear_rsa_host_key

/etc/dropbear

dropbear_dss_host_key

/etc/dropbear

chmod

/usr/sbin/update

com.apple.update.plist.hacked

/System/Library/LaunchDaemons/
com.apple.update.plist

We’ve done several things here. First, we put a copy of a shell application called sh into the /bin directory on the phone. Ultimately, we will need a shell application to be able to communicate with the phone from the Mac terminal, so that’s why we’re installing it now.

Next, we placed a copy of a program called chmod in the /bin directory. All files in a Unix operating system have permissions attached to them, and chmod is a program that lets us alter permissions. We’ll use chmod to make the applications that we install executable.

Next we installed Dropbear in the /usr/bin directory. This is the SSH program that we want the phone to run. After that, we installed a plist with a long name in the /System/Library/LaunchDaemons directory.

We placed two host key files in the /etc/dropbear directory that we made earlier. SSH needs these files to perform its secure, encrypted transfers.

Finally, we placed another copy of chmod in the /usr/sbin directory, but this time we named the resulting file update. As you’ll recall, earlier we pulled a copy of update off of the iPhone. We’re now writing over the update app that’s on the iPhone with a chmod app. You’ll see why in a sec. We also installed a plist in the com.apple.update directory.

So, we’ve copied Dropbear onto the phone, as well as some utility files that it needs, but we’ve also done something else. Before an application can be run, its permissions must be set to executable, which we can do with the chmod application that we installed. The problem is, how do we get chmod to run on our Dropbear application because right now, we have no way to execute a program.

In the old days of iPhone hacking (that is, the morning of June 30, 2007 at roughly 10ish) you used special tools to pull off an image of the iPhone’s contents. Then you manipulated that image on your Mac, installing software and changing permissions, and put the whole thing back on. This was difficult and time-consuming, which is why an enterprising hacker named Nervegas came up with a new trick.

When your iPhone is booted, it automatically runs certain applications called daemons. The update daemon is one of those. As you’ll recall, we made a copy of update early on. You’ve now replaced the update daemon on the phone with a copy of chmod. When you reboot your phone, it will blithely execute update, just as it’s supposed to, with no idea that it’s actually running chmod. The com.apple.update.plist.hacked file that we installed (but named com.apple.update) contains the parameters necessary for chmod to alter the preferences of our Dropbear application to make it executable.

Once Dropbear has been made executable, it will run any time the phone is powered on. So:

Now turn your phone off, and then turn it back on. Because you’re still jailbroken, iTunes will launch and then quit. When the phone is back up and running, turn it off and on again. Again, iTunes will launch and quit. You have now rebooted your phone twice. The first time, our Trojan chmod application modified the permissions of Dropbear. The next time, the now-executable Dropbear should start running, and voila! You’ll have an ssh daemon running on your iPhone!

After the phone has rebooted the second time, we need to test to see if ssh is running. Any time you want to SSH into your iPhone, you must know the phone’s IP address. On the phone, press Home, then Settings, then Wi-Fi, then look at the details for the network that you’re connected to. You’ll find the IP address in there.

1. In the Terminal window, type exit, to quit iPHUC.

2. Type ssh root@[iPhone’s IP address]. For example ssh root@192.168.1.14.

The iPhone should respond with something like:

The authenticity of host ‘192.168.1.14 (192.168.1.14)’ can’t be established.
RSA key fingerprint is 5a:e4:fa:de:62:f6:9b:96:7f:3b:57:b1:76:21:77:d6.
Are you sure you want to continue connecting (yes/no)?

Type yes and hit return. When it asks for a password, enter dottie. By default, all iPhones have a password of dottie.

You should see a prompt like this:

-sh-3.2#

Congratulations! You’ve just installed an ssh client and ssh’d to your iPhone!

3. Enter ~. To exit ssh. If it continues to display the ssh prompt, try again.

Back to normal

Now we need to restore some things on the phone to normal. As you just learned, to get this all to work, we had to replace the update daemon with chmod. Now we need to put update back where it was.

Launch iPHUC by typing ./iPHUC in the Terminal and then enter these commands (each of them on a single line, despite the fact that on this web page the information breaks over multiple lines):

putfile /Users/[user name]/Desktop/iPhone\ Hacking\ Kit/com.apple.update.plist.original /System/Library/LaunchDaemons/com.apple.update.plist

putfile /Users/[user name]/Desktop/iPhone\ Hacking\ Kit/update.original /usr/sbin/update

Those two commands restore the update daemon.

Your phone now has an ssh client on it, and a password known by anyone who’s reading this article (as well as a bunch of really talented hackers). The odds of someone looking for an iPhone to hack in a public place are small, but if you really want to be secure, you can change your password.

To change the password of your phone:

1. In the Terminal, exit iPHUC by typing exit.

2. At the prompt, enter perl-e ‘print crypt(“mypassword”,”xx”);’

Substitute your desired password for mypassword, and enter any two characters in place of XX.

Terminal will display an encrypted version of your password.

3. In the iPhone Hacking Kit folder, you’ll find a file called master.passwd.original. Open this in TextEdit and replace both the mobile and root passwords with the encrypted text.

For example, if you generated the following password in step 2: XXVeA.Z.EZ6FA

Then, in the master.passwd.original file, you would change this:

root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh

to this:

root: XXVeA.Z.EZ6FA:0:0::0:0:System Administrator:/var/root:/bin/sh

and this:

mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh

to this:

mobile: XXVeA.Z.EZ6FA:501:0::0:0:Mobile User:/var/mobile:/bin/sh

4. Choose File > Save As and save the document back into the iPhone Hacking Kit folder as master.passwd.

5. Because TextEdit tends to add .txt extensions, select the file, choose File > Get Info, and get rid of the extension.

6. In the Terminal, launch iPHUC again by typing ./iPHUC.

7. Put the new password file on your phone with this command: putfile /Users/[username]/Desktop/iPhone\ Hacking\ Kit/master.passwd /etc/master.passwd

Now your phone is almost back to normal. But, we still have some more things to install.

SCP – The racer’s edge

So far, we’ve been using iPHUC to manage all file transfers between the Mac and the iPhone. But we want something that doesn’t require a tethered connection, so we’re going to install a copy of a program called SCP. This will ensure that we can move files on and off after we’ve unplugged the iPhone.

Launch iPHUC and issue the following commands, once again using Putfile to move the following files into the following directories in the format

putfile [drop file here] [destination path]

File to drop

Destination to type

sftp-server

/usr/libexec

scp

/usr/bin

libarmfp.dylib

/usr/lib/libarmfp.dylib

The SCP and SFTP servers are now installed, but they need to be made executable. As you’ve learned, we can make a file executable by using the chmod tool. Earlier, we had to trick the iPhone into executing chmod, but now that we have ssh on the phone, we can simply ask the phone to execute chmod.

Enter ssh root@[iPhone’s IP address]

When prompted, enter your password, you will then be presented with an ssh prompt: -sh-3.2#

Now the Terminal window is acting as a terminal directly to the iPhone. In other words, any commands we enter will be executed by the phone. Tell the phone to execute chmod to change the permissions of the sftp-server and scp applications.

chmod +x /usr/libexec/sftp-server
chmod +x /usr/bin/scp

Now test SCP by entering scp. You should see something like this:

usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program]
[[user@]host1:]file1 […] [[user@]host2:]file2

We’ll use SCP shortly to install some new applications on the iPhone. But first, we need to do some cleanup.

Go directly to jail

We’re just about ready to re-jail the iPhone. This will return it to its normal, sync-ready state, and will mean that you no longer have to tether it.

Before we rejail, though, we’re going to move over a few more files. In iPHUC, issue the following commands in the format putfile [drop a file here] [path]

File to drop

Path to type

shells

/etc

bash

/bin

csh

/bin

rm

/bin

rmdir

/bin

ls

/bin

We’ll fiddle with those files later. For now, on your Mac, return to iFuntastic. We’re ready to re-jail the phone.

Before we do, though, notice that iFuntastic allows you to add new ringtones, change the carrier logo, alter the order of icons on your home screen, and browse files. If you want to use any of these features, give them a try.

When you’re finished, click the Finish button, and then the Jail button. Then, follow the on-screen instructions. This will put your phone back in jail, closing the communications loophole that we’ve been exploiting. iPHUC will no longer be able to talk to your phone. But that’s okay, because we now have lots of other ways to do that.

After your phone has rebooted, click Done, and then give some thought to donating to the resourceful hackers who made iFuntastic possible. When you’ve finished, quit iFuntastic and unplug your iPhone from your Mac.

Do something useful

So far, our hacking has been limited to the “because it’s there” level of satisfaction. Let’s kick it up a notch and install some actual applications. We’ll start with a screenshot app written by Erica Sadun. We need to transfer the screenshot app to the phone, which we’ll do using the SCP application that we installed earlier.

scp [drop hacking kit screenshot here] root@[iPhone’s IP]:/Applications

You’ll be prompted for your phone password, and then the transfer should occur. This command sends the file screenshot to the Applications directory of the phone. You can learn more about scp by opening a new Terminal window and entering man scp.

Now we need to make the screenshot app executable.

ssh into your phone (ssh root@[ipaddress]). Because you rebooted your phone, you may want to double-check what IP it ended up with. Enter these commands:

chmod +x /bin/bash
bash

You should now see a bash prompt that looks like this:

bash-3.2#

Bash is a more versatile terminal that allows you to do a few more things.

Enter chmod +x /Applications/screenshot

Screenshot should now be executable. Let’s try it. Put your iPhone on a screen that you want to capture. In your Mac’s Terminal window, enter /Applications/screenshot. You should see:

About to snap screen.
Your screen shot is located at /tmp/foo_0.png

Your phone has captured a screen and stored it. Now we simply need to retrieve it, which we can do with the scp command. Open a new terminal window and enter:

Enter scp root@[iPhone’s IP]:/tmp/foo_0.png /Users/username/Desktop

When prompted, enter your password. The screenshot will be captured to your desktop.

clip_image003

(We created a second terminal window to enter the SCP command so that we now have one terminal window that’s running SSH, and another that lets us issue SCP commands.)

If you’re spending a long time ssh-ing or scp-ing to and from your phone, you might find that the phone falls asleep and kills the Wifi connection. You can make it stay on longer – or indefinitely – by going to Settings > General and then changing the Auto-Lock time.

So far, we’ve been using the Mac’s terminal to control the phone. Let’s install a terminal app that we can use on the phone itself.

Enter scp -r [drop Terminal.app from Hacking Kit here] root@[ip address]:/Applications/Terminal.app to transfer the terminal application to the phone. We have to add -r to the scp command because, technically, the Terminal app is a directory.

Now we need to make the app executable. SSH to your phone and then enter:

chmod +x /Applications/Terminal.app

Now restart your phone. Once it’s up, you should see a new icon on your home screeen!

clip_image004

Press Terminal, and the terminal app will launch. Any commands that you’ve been issuing through ssh you can now do directly on the phone. For example, let’s launch the bash shell. In the iPhone Terminal, enter bash and press return.

clip_image005

Just before we put the phone back in jail, we copied some additional commands to the bin directory. Let’s make three of them executable. In the iPhone terminal, enter:

chmod +x /bin/rm
chmod +x /bin/rmdir
chmod +x /bin/ls

RM is a remove command that let’s us delete files, while rmdir lets us delete directories. LS is the list directory contents command that we used earlier. We’ll fiddle with these again later.

Bash is a much better shell than the default shell that the Terminal executes. So, if you find yourself unable to execute certain basic commands in Terminal, then try launching bash.

Let’s do a little iPhone customization. Personally, I don’t find the Stocks application to be very useful, so let’s remove it. Because we might later have some great windfall that would make the Stocks app more handy, we’ll back it up first, so that we can always put it back later.

In your Mac’s Terminal window, enter the following:

scp -r root@[iphone IP address]:/Applications/Stocks.app /Users/[your user name]/Desktop

This will copy the Stocks program to your Mac desktop. Now enter the following commands (you can do this either via ssh on your Mac, or directly into the Terminal on your phone). Be sure to enter the path exactly as it is shown here, as this command will remove an entire directory, and you don’t want to accidentally remove your entire Applications directory:

rmdir -rf /Applications/Stocks.app

Now reboot your phone. When it powers back up, you should find that the Stocks application is gone. If you ever want to put it back, just use SCP to transfer the copy that you saved to your desktop back to your /Applications directory. Then use chmod to make /Stocks.app/Stocks executable. Reboot the phone and it will be right back where it started.

All of this should be enough to get you started. You’ve got a good assortment of commands and an understanding of how to move things on and off your phone. As more apps are developed you can use SCP to transfer them to your phone, and CHMOD to make them executable.

Note that, with the next update, Apple could wipe out all of your changes. If this happens, you may have to re-hack the whole thing, and this may require an update to the Jailbreak application or to iPHUC. We’ll try to keep you posted as these things change, and as new hacks become available.

Category: Hacking

Posted by Ben Long on Aug 13 2007, 7:27 PM ET

Comments (55)

Why not just use scp -rp root@:?
If you add the -rp, no need to run chmod after.

Posted by Branden Russell clip_image006| August 13, 2007 11:13 PM

I seem to be having trouble. After I ./iPHUC in the terminal and type setafc com.apple.afc2, It doesnt say InvalidResponse, but the numbers under AMDeviceStartService AFC: are never zero. I have exit and retried so many times Im beggining to think I;m not getting it. I have also quit the terminal and started over sveral time….still nothing. The instructions say the numbers don’t matter, so I type ls and get nothing…Im bummed

Posted by Jackson | August 14, 2007 3:48 AM

OK, I am stuck at the point where you have to do setafc com.apple.afc2 . My problem is that the first time I try it it gives me the invalid response. So I exit then restart iPHUC and try it again. This time it doesnt give me the invalid response, however the fisrt number is not 0. It’s still that long number. So I was able to add the first three files using putfile as per the directions even though I wasn’t able to get a 0 as the first number. However when I try the subsequent files, it tells me :Failed to open remote file 9. So I tried a bunch of things, even dropping the two off of afc and that produced a first number of 0, but I encounter the same error. Does anyone have any idea? I restored my iPhone too… then redid everything. I’m using the latest iFuntastic and the files provided on this page. I’m really frustrated! any help would be awesome.

Posted by Joshua Wallace | August 14, 2007 4:51 AM

I can’t seem to copy au.asn.ucc.matt.dropbear.plist and the two dropbear host keys. Has anybody else had an issue coping these files and figured out a fix?

Thanks!

Posted by Dave | August 14, 2007 7:53 AM

I got error when I tried to use the “putfile” command.

(iPHUC) /: putfile /Users/felixlau/Desktop/iPhone\ Hacking\ Kit/au.asn.ucc.matt.dropbear.plist /System/Library/LaunchDaemons
putfile: Opening local file ‘/Users/felixlau/Desktop/iPhone Hacking Kit/au.asn.ucc.matt.dropbear.plist’
AFCFileRefOpen: opening remote file ‘/System/Library/LaunchDaemons’
putfile: Failed to open remote file: 9

Can anyone tell me what should I do to get rid of that error?

Posted by pHelix | August 14, 2007 8:00 AM

nice how-to . . . may want to mention that using putfile requires complete pathname not just target directory for most of the files which need to be moved

Posted by timgollin | August 14, 2007 8:00 AM

I think one thing that would be useful (if you guys want to make this tutorial better than other available on the web) is to address the things that could go wrong and how to recover form them. It seems like every tutorial is just a list of steps that blindly assumes everything will go perfectly. This makes for a weak tutorial.

For example – every time I try iPhuntastic, I get to the Jailbreak screen,even before the iPhone goes into Recovery mode, I get a “communications error” screen. This has happened before, and I had hoped your tutorial would provide some hints about recovery here (you did mention that you had experienced some problems yourself – write them up!).

Well, as you mentioned – there’s not really much of a compelling reason to hack the iPhone yet. Maybe when rails is running on the iPhone (Apache and Ruby and sqlite are). Or maybe it’s just better to wait for Apple to release a real toolchain.

Posted by Israel Alvarez | August 14, 2007 11:09 AM

If you get the error Failed to open remote file: 9 make sure you put the complete path as said above:
putfile /Users/dave/Desktop/iPhone\ Hacking\ Kit/au.asn.ucc.matt.dropbear.plist /System/Library/LaunchDaemons/au.asn.ucc.matt.dropbear.plist

Worked for me!


d a v e

Posted by d a v e | August 14, 2007 11:40 AM

You might find it easier to use my iPhoneOpener tool which will perform the entire jailbreak & ash installation for you, including SCP/sftp support. You can find it at http://weblog.bluedonkey.org/?p=714

The ppc version is a little out of date – I need to rebuild it- but source is included.

Posted by John | August 14, 2007 12:24 PM

You just want to do the SetAFC command until you don’t see an “Invalid” error. Don’t worry about what the numbers are. After the SetAFC comes back error-free, try an ls (that’s an el and an ess). If it doesn’t do anything, then open up a new Terminal window, iPHUC into the phone and try ls again. If it STILL doesn’t do anything, then quit Terminal, re-launch, iPHUC to the phone and then try ls one last time. That should get you in.

Posted by Ben Long | August 14, 2007 1:14 PM

Dave’s right, if putfile isn’t working, put the full destination path, including the file name. So, you’d have:
putfile /Users/[account name]/Desktop/iPhone\ Hacking\ Kit/au.asn.ucc.matt.dropbear.plist /System/Library/LaunchDaemons/au.asn.ucc.matt.dropbear.plist

So, in addition to the destination path, we’ve got the name of the file at the very end.

Posted by Ben Long | August 14, 2007 1:18 PM

This is cool! Although I don’t PLAN to do this right now, I definitely am going to study this closer. The more I can understand about this thing the better!

Great Article!

Posted by Orville Chomer | August 14, 2007 3:20 PM

OK, I don’t want to be rude, but for me, it obviously matters that the first number isn’t turning up 0. Now, every single time I iPHUC and then setafc com.apple.afc2 into my iphone, I get no invalid response but a very long negative first number. After that, trying any commands fails. I type “ls” and I get Directory ‘/’ does not exist. However, if I never type setafc com.apple.afc2 and then type “ls” I get a listing of the directories. BUT, I am only able to copy the first three files this way. The rest tell me Failed to open remote file: 9 or 12. So…. what could possibly be wrong? I’ve restored my iPhone, I’ve been jailbreaking successfully with iFuntastic. I’m using your hacking kit. Any help would be amazing thank you.

Posted by Joshua Wallace | August 14, 2007 3:50 PM

I get a refusal to connect error when I try to enter my IP address. Does this work if your wireless connection has WEP protection?

Is it possible for these steps to be looked over because I am very interested and there seem to be some kinks in the process.

Also as one reader had experienced, by using setafc com.apple.afc (without the number 2), the process works and I am able to bring up the directory and go on the next steps. Using the number 2 was just not working.

Posted by Daniel Mazler | August 14, 2007 4:09 PM

I removed the Stocks app and added the Terminal app as well, however I don’t recommend the method shown of just deleting the thing. Just edit /System/Library/CoreServices/SpringBoard.app/DisplayOrder.plist to remove it. You can also change the ordering of the applications in thie manner as well.

BTW, blatant plug, I’m working on MAME for the iPhone:
http://code.google.com/p/iphone-sdl-mame/

Posted by rickb | August 14, 2007 4:41 PM

I can’t get it to remove an app. it says rmdir: invalid option — r when I try with both the mobile terminal and mac terminal

Posted by Joshua Wallace | August 14, 2007 5:43 PM

When I type ~ to exit ssh I just get:
-sh: /var/root: is a directory

Posted by TimL | August 14, 2007 9:10 PM

OK, I just typed ‘exit’ to get out of SSH (duh) but now I’m stuck at this step with the following error.

putfile /Users/tim/Downloads/iPhone\ Hacking\ Kit/com.apple.update.plist.original /System/Library/LaunchDaemons/com.apple.update.plist
putfile: Opening local file ‘/Users/tim/Downloads/iPhone Hacking Kit/com.apple.update.plist.original’
AFCFileRefOpen: opening remote file ‘/System/Library/LaunchDaemons/com.apple.update.plist’
putfile: Failed to open remote file: 8

Posted by TimL | August 14, 2007 9:19 PM

I got it all working! Thanks for all the help!!!

Posted by Dave | August 14, 2007 10:24 PM

port 22 error, how do I get past???

Posted by mister | August 15, 2007 10:36 AM

i have successfully followed the tutorial all the way to scp phase but am always given a “Read-only file system” error when i try to copy over programs. has anyone else received this and are there any solutions? help would be appreciated.

Posted by jeremy | August 15, 2007 3:03 PM

i solved my own issue by going into the bin file while connected with ssh and resetting chmod +x to every file. i was then able to scp -r installer.app, terminal.app and even lights out.app (a totally awesome adaptation, and perfect for the iphone). both terminal and lights out work perfectly. installer.app froze my phone and i had to do a full restore, but i’m not positive if it was the app or because it downloaded some packages but could not install them. oh well.

Posted by jeremy | August 15, 2007 4:56 PM

and for anyone who is having issues with setafc, i found that either using terminal and ./jailbreak or iactivator worked far better than ifuntastic. re-jail and then run jailbreak again if you get the error, just restarting iPHUC never worked for me.

Posted by jeremy | August 15, 2007 4:57 PM

@ Jeremy:

I ran into the same problem, but it seems to be because I did not follow the instructions. Instead of using iFuntastic I used iActivator and ran into problems. (i don’t really know if it had anything to do with Iactivator or something else I did). Anyhow I did a restore on my iPhone and it was unable to restore my settings and text messages and so forth, but it did re-sync all my data.

I started again from square one, this time following the instructions to a tee, and it worked perfectly.

One other thing, did you assign a new password and is it accepting it?

Posted by tim LaDuca | August 15, 2007 5:31 PM

$ ./iphuc
iphuc 0.5.0
>> By The iPhoneDev Team: nightwatch geohot ixtli warren nall mjc operator
initPrivateFunctions: this is still not clean. Architecture: i386
AMDeviceNotificationSubscribe: 0
CFRunLoop: Waiting for iPhone.
notification: iPhone attached.
AMDeviceConnect: 0
AMDeviceIsPaired: 1
AMDeviceValidatePairing: 0
AMDeviceStartSession: 0
AMDeviceStartService AFC: 0
AFCConnectionOpen: 0
AFCPlatformInit: (no retval)
notification: Entering shell in Normal Mode.
shell: Entering loop.
(iPHUC) /: setafc com.apple.afc2
AMDeviceStartService AFC: -402653150
AFCConnectionOpen: 0
(iPHUC) /: ls
ls: Directory ‘/’ does not exist.
(iPHUC) /:

Doesn’t matter how many times I try it or closing and restarting terminal.

Same result…

Posted by Jim Brown | August 15, 2007 8:26 PM

Awesome. I finally got this to work after several days of trying using the iPHUC instructions on their wiki and other stuff scattered across the net…

Your tutorial is great. I had a few hangups but the suggestion to open another terminal window and launch iPHUC again worked beautifully!

The other problem I had was that I had to cd into a directory several times in order to do a putfile into it /System/Library/LaunchDemons and /usr/libexec for sure but I think there were others.

All in all an awesome set of instructions. Thanks!

~feyd

p.s. anyone know a way to get the phone to show more than 16 + 4 apps?

Posted by feyd | August 15, 2007 10:18 PM

Got everything to this point, which I have been stuck for a long time:
putfile /Users/[user name]/Desktop/iPhone\ Hacking\ Kit/com.apple.update.plist.original /System/Library/LaunchDaemons/com.apple.update.plist

putfile /Users/[user name]/Desktop/iPhone\ Hacking\ Kit/update.original /usr/sbin/update

“Failed to open remote file: 8”

Failed several times and just gave up for now. Any suggestions?

Posted by Mr. Chase | August 16, 2007 3:14 AM

I am having problem with transfering screenshot app to the phone. I get an port 22 error, connection refused. How do I get past this problem.

Posted by tinal | August 16, 2007 4:57 AM

Yeah, I’ve gotten as far as getting the SSH up and running (hurray!) but as soon as I try and run any of the programs I’ve installed, ls, rm, bash, all I get is “Permission Denied.” Its particularly vexing in the case of scp, needed to transfer over the .apps…. I think I’ve run chmod to make them executable, though I got no output to that effect… anyways, any thoughts anyone has on this whole permission deal that’d be great. I’ll be the first to admit I probably messed up somewhere. Thanks.

Posted by Fatalbert | August 16, 2007 7:39 PM

Okay, so I did a complete restore using iTunes, to ensure a fresh start. Then, I executed the directions, steps by step. Worked great with no issues, installed without a hitch, you might say exactly as should. Except…

..except that when I try to connect, the connection just times out. I checked/doubled-checked the IP I am pulling on the iPhone, it’s as it should be. I also confirmed no firewall issues exist for port 22. Still, the connection times out. Here’s a debug’d output of the last attempt:

MacBook:~ myUserName$ ssh -vv root@192.168.2.25
OpenSSH_4.5p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.2.25 [192.168.2.25] port 22.
debug1: connect to address 192.168.2.25 port 22: Operation timed out
ssh: connect to host 192.168.2.25 port 22: Operation timed out

Any thoughts on what the “hang up” might be? At this point, I am running a completely stock iPhone with these instructions executed/installed against it. Any feedback will be more than welcome, so thanks in advance!

Posted by iPhoneWriter | August 17, 2007 1:27 AM

everything was fine until the step where i type ssh root@ ip ….
in terminal, and when i type it i get “ssh: connect to host xx.xxx.x.xx port 22: Connection refused”….!!!!!
what should i do..??!! please somebody HEEEELP

Posted by steve | August 17, 2007 10:04 AM

Hi,
I manage to fire commands such as “ls” or “chmod” when I type the complete path from the root (like “/bin/chmod”) but it says “not found” when I fire it directly (“chmod”).
Thus, I cannot have scp work from the Terminal…

Posted by nico | August 17, 2007 6:36 PM

Jackson and Joshua: I experienced two of the same problems yo did. Omitting the trailing zero from “setafc com.apple.afc” indeed solves the first problem.

I also encountered the “Failed to open remote file: 9” errors for several of the files. After much experimentation (I’m not a UNIX guru), I found this to work:

Type “putfile” (no quotes), a space, then drag the source file from the Finder into the Terminal. Then type another space, enter the path from the right column (in the article above), then type a slash (/) and enter the filename from the left column (in the article above).

Examples:

putfile /Users/ccj/Desktop/iPhone\ Hacking\ Kit/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key

putfile /Users/ccj/Desktop/iPhone\ Hacking\ Kit/dropbear_dss_host_key /etc/dropbear/dropbear_dss_host_key

putfile /Users/ccj/Desktop/iPhone\ Hacking\ Kit/au.asn.ucc.matt.dropbear.plist /System/Library/LaunchDaemons/au.asn.ucc.matt.dropbear.plist

OK, that’s as far as I’ve gotten in the tuturial. If I encounter any more gotchas and discover the solutions, I will post them here.

Posted by ccj | August 18, 2007 4:27 PM

Great instructions! Took a little work to make it through iphuc quirkiness, but excellent job.

To automate the screenshot procedure, I recommend using two expect scripts to capture the screen and then copy back over to your Mac. I then encapsulate those two calls into an AppleScript. Doing this, you can perform a screenshot through a simple mouse click.

Here’s the first script:

#!/usr/bin/expect -f
# Expect script to supply root/admin password for remote ssh server
# and execute command.
# This script needs three argument to(s) connect to remote server:
# password = Password of remote UNIX server, for root user.
# ipaddr = IP Addreess of remote UNIX server, no hostname
# scriptname = Path to remote script which will execute on remote server
# For example:
# ./sshlogin.exp password 192.168.1.11 who
# ————————————————————————
# Copyright (c) 2004 nixCraft project
# This script is licensed under GNU GPL version 2.0 or above
# ————————————————————————-
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ———————————————————————-
# set Variables
set password [lrange $argv 0 0]
set ipaddr [lrange $argv 1 1]
set scriptname [lrange $argv 2 2]
set arg1 [lrange $argv 3 3]
set timeout -1
# now connect to remote UNIX box (ipaddr) with given script to execute
spawn ssh root@$ipaddr $scriptname $arg1
match_max 100000
# Look for passwod prompt
expect “*?assword:*”
# Send password aka $password
send — “$password\r”
# send blank line (\r) to make sure we get back to gui
send — “\r”
expect eof

Here is the second script (update username below):

#!/usr/bin/expect -f
# Expect script to supply root/admin password for remote ssh server
# and execute command.
# This script needs three argument to(s) connect to remote server:
# password = Password of remote UNIX server, for root user.
# ipaddr = IP Addreess of remote UNIX server, no hostname
# scriptname = Path to remote script which will execute on remote server
# For example:
# ./sshlogin.exp password 192.168.1.11 who
# ————————————————————————
# Copyright (c) 2004 nixCraft project
# This script is licensed under GNU GPL version 2.0 or above
# ————————————————————————-
# This script is part of nixCraft shell script collection (NSSC)
# Visit http://bash.cyberciti.biz/ for more information.
# ———————————————————————-
# set Variables
set password [lrange $argv 0 0]
set ipaddr [lrange $argv 1 1]
set scriptname [lrange $argv 2 2]
set arg1 [lrange $argv 3 3]
set timeout -1
# now connect to remote UNIX box (ipaddr) with given script to execute
spawn scp root@$ipaddr:/tmp/foo_0.png /Users/[username]/Desktop
# $scriptname $arg1
match_max 100000
# Look for passwod prompt
expect “*?assword:*”
# Send password aka $password
send — “$password\r”
# send blank line (\r) to make sure we get back to gui
send — “\r”
expect eof

Here is the AppleScript code (update each of the parameters for your needs – path of the .exp files, iphone password, and the IP address for the iPhone):

do shell script “expect /Users/rich/Development/icapture.exp dottie 10.0.1.197 /Applications/screenshot”
do shell script “expect /Users/rich/Development/copyover.exp dottie 10.0.1.197”

The process takes about 50-60 seconds once you run the script but it works.

– Rich Wagner

Posted by Rich Wagner | August 18, 2007 8:33 PM

Nico – you need to set your PATH environment variable in .bash_profile.

iPhoneWriter: If you are getting SSH timeouts, the SSH server is probably not running on the iPhone.

Posted by tecate | August 18, 2007 8:36 PM

steve: Your port 22 errors could be a firewall issue (on your Mac). Try this: go to System Prefs -> Sharing and enable Remote Login which will open port 22 on the Mac’s firewall. Just a thought.

Posted by ccj | August 19, 2007 1:09 AM

Steve – I too got the SSH connection refused on port 22. But I looked into the directories that I had copied files too and realized that I made some typos, thus the proper commans were never run on the phone booting. I would suggest back tracking to make sure. Good luck.

Posted by setec | August 19, 2007 9:51 PM

I didn’t read the flurry of posts, but hit the same problems as many people with the putfile command.

To solve this problem, just type a / and filename after your putfile command. For example:

putfile /[path to hacking kit]/au.asn.ucc.matt.dropbear.plist /System/Library/LaunchDaemons/au.asn.ucc.matt.dropbear.plist

LaunchDaemons is a directory and the unix command putfile isn’t working smart enough to know to put the file in the directory with the same name. Putting the name after a / at the end of the path gets you through the error.

This is the same for the other commands in the table above.
…Dan

Posted by chipcustomizer.com | August 20, 2007 7:43 PM

I haven’t read this whole page yet because I see no point. I got to, “you need to have an Intel Mac”. Why can’t I use my iMac G5? I really want to do this but I am not gonna by a new Mac just so phone can sing.

Posted by James Summers | August 23, 2007 5:29 PM

to do this do you need a mac or can you use windows xp

Posted by ahmet bulbul | August 26, 2007 11:29 PM

Please Email me an answer!!! michael_withe21@hotmail.com

Has anyone successfully gotten through iPhuc using iFantastic instead of jailbrake or other?

I am stuck at iPhuc’s “ls” command, I have tried other methods of exiting and closing, opening another terminal, but even when I dont get a “InvalidResponce” with 0’s or the -402653165, It still either doesnt recognize the “ls” command or it just laggs on responding to further commands. What can I do???

Please just email me @ michael_withe21@hotmail.com

Posted by michael | August 29, 2007 4:24 AM

Hello I have a siemens c56 phone and I don’t like or want to keep the unmodifiable ringtones that come with the phone can u help me delete these so I can record my own, see my phone actually has the option to record own but i cannot delete the ringtones I don not want/ need/ use. I am running windows xp.

any help would be appreciated.
you may contact me @ the above email address

Thank you
Donna

Posted by Donna | September 5, 2007 4:50 PM

FOR THOSE WHO CANNOT “ls” (or prove tether connection)

You can also try

setafc com.apple.afc

Rather than

setafc com.apple.afc.2

you know who you are…

Hope that helps..

Posted by devnull | September 8, 2007 9:56 PM

dont think this works with version 1.0.2

Posted by eeMZee | September 10, 2007 1:40 PM

Many thanks for this information. Although this might sound weird, I don´t have a Mac with me, is there a Windows version of this for non-Mac users to deploy the scripts and procedures you are all discussing on this site?

Many thanks,

JD

Posted by Juan Consuegra | September 10, 2007 11:03 PM

I run the manual jailbreak command line on OS X Mac Intel .

My Jailbreak return error “Illegal instruction” in the step of release 2 buttons for jailbreak.
Anyone used to face this problem?

iPhone sw version: 1.02
iTune: 7.3.2 (and alredy test with iTunes 7.4.1. same error

Posted by GG | September 12, 2007 11:39 AM

GG i’ve had the same problem as you. I think the newer iPhone software might block jailbreak from working for some reason. Maybe apple wanted to prevent hacks.

Posted by Josh | September 20, 2007 7:57 PM

Wow, all of that to hack the iPhone? Why not just install AppTapp and be done with it in seconds?

http://iphone.nullriver.com/beta/

Posted by Jen Sardam | September 20, 2007 9:09 PM

after loading the hacking kit into terminal every time I run ./iPHUC i get this:

-bash: ./iPHUC: cannot execute binary file

I have restarted several times and my phone is successfully jailbroken too…

Posted by eric | September 22, 2007 10:13 AM

Does this hack work for v1.1.1? I see here that the last comments were posted in August, way before the latest update was released. Will this hacking process “damage” my iPhone? If so, what is another website that you recommend to download/change/customize icons for my interface. Thanks!

Posted by Gigi | October 13, 2007 10:28 AM

Yes please let me know if this works for v1.1.1 as well?

Posted by troy | October 15, 2007 7:49 PM

Hi,
I might be asking 2 questions that have already been asked several times, but please do answer them.

1) Is it correct that if you’ve hacked the phone, it is still possible to use your warranty, IF you reset your software trough iTunes?

2) Is it correct that if you’ve hacked the phone, it is no longer possible to update the software, when there has been launched a new software-version?

Please do respond to my questions, I would really appreciate!

(And for the really nice people: mail the answers to my email: loicvanlaere@hotmail.com)

THANKS!!!

Posted by Loïc | November 21, 2007 10:58 AM

I need help please, I bought a cracked iPhone, the version of the software is 1.1.1, the phone works probably but I haven’t tried tp put songs on it, so which version of iTunes shall I use to put the songs if my software version is 1.1.1? and wht I should not do so that i dont ruin the crack?

Posted by bassem | December 3, 2007 12:11 PM

Hello my name is Brian and i,m wanting proform the iphone hack, but i have one question or concern, You keep saying MAC as your computer, what if you i don’t own a MAC but have good PC taht WI-FI, will that work or dose the hack have to be done by MAC. Please write back.

Posted by Brian Mulkey | December 4, 2007 11:53 AM

the jailbreak fails every time. I have an iPhone running on v 1.1.2?
What am i doing wrong?

Posted by Billy | December 5, 2007 3:44 AM

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s