January 05, 2008

Guide to activate & jailbreak the iPhone 1.1.2 OTB on Windows - Jailbreak & Activate (3/4)

In STEP 3 the goal is to jailbreak the iPhone, that is, take control of the device in order to be able to activate it and run third-party applications. We are going to use Safari on an unactivated iPhone, and browse to a specific Web site that is going to exploit a vulnerability in the device and execute the code required to "free" the device.

Prerequisites:
  • Wireless (802.11b/g) Internet connectivity is required for the iPhone in order to activate and perform an initial jailbreak on the device.
  • iTunes is not required in this step. You can leave the iPhone plugged in to the USB port and iTunes running.
  • The default AT&T SIM card provided with the iPhone must be inserted in the phone.
1- Go to the iPhone activation screen that shows "slide for emergency" at the bottom and slide to get the "Emergency Call" window plus the phone keypad. Dial *#307# and press the "Call" button.

2- The iPhone will start ringing. While it rings, erase *#307# by using the back button on the top of your iPhone screen. Type 0 and press the "Call" button. The iPhone will start ringing again. This time you must press "Answer" (green button) and then press the "Hold" button. The iPhone will start ringing again. This last time press "Decline" (red button). You now get access to the menu showing options for the favorites, contacts, etc.

You need to perform the next step "quickly", not to get locked out of the screen, as the default iPhone lockout timeout is one minute. If you are idle more than one minute and get locked out, follow this quick sequence of steps:
  • Thereafter, every time you want to get to the same screen, you need to push the iPhone Home button, just slide the "slide for emergency" button, then press 0, press Call, press Answer, press Hold, and press Decline.
3- From the keypad screen, select "Contacts" and add a new contact through the [+] symbol:
  • Then select "First Last", add "Testing" as the contact name, and select Save.
  • Select "Add URL", type "prefs://1F", and select Save.
  • Select "Add URL" again, type "http://jailbreakme.com", and select Save.
When this is done, select "Save" again to store the new contact and the iPhone will take you to the contact "Info" page, displaying the name "Testing" and the two URLs you just added.

4- Select the "prefs://1F" URL and it will open the iPhone "Settings" page. Select "General" and the "Auto-Lock" option. Set the value to "Never", so that the iPhone screen doesn't get locked for the next steps if you are more than one minute reading this guide :)

5- Go back to the "Settings" screen. From there, select "WiFi" and add or choose your wireless network and make sure you are connected to it (you shouldn't get an error connection message).

6- Now, hit the Home button on the iPhone to go back to the activation screen, slide and dial the number 0. The iPhone will now ring again, press Answer, press Hold, and press Decline; just like before.

7- Now, select "Contacts" again and then the "Testing" contact added previously, this time go to the "jailbreakme.com" URL (second one). At the time of the testing, the domain is associated to IP addresses 91.121.18.102 and 208.75.87.234. Safari will open and load the page. When the page loads, scroll down and click on "Install AppSnapp".

Safari will now close and the iPhone returns back to the activation screen. It takes about one minute for the application to get installed. Be patient. At this point, the iPhone will restart. Once you get to the activation screen again, slide to access the dial keypad. When you do this, the iPhone will restart again. Once the iPhone comes back, you can slide to get access to all the iPhone functions/icons for the first time. At this point you are activated and jailbroken!

[*] Remember that in STEP 2 we downgraded the iPhone to version 1.1.1. The "jailbreakme.com" Web site takes advantage of a vulnerability in the version of the libtiff library contained on iPhone version 1.1.1 through the MobileSafari browser. Exploiting this vulnerability it is capable of running code inside the device (see CVE-2006-3459 and the original exploit, plus source code).

The exploit inside the "/files/y.tiff" file at "jailbreakme.com" opens the iPhone for full disk access and installs the AppSnapp Installer for iPhone 1.1.1, called Installer.app, by Nullriver Software. At the time of this writing it installs version 3.0b4. In fact, the TIFF file opens the door for other files (from "/files") that are downloaded to the iPhone to perform the hack, such as "payload2.bin", "root.zip", or "youtube.zip". You can even build your own "jailbreakme" server (forums). [*]

The AppSnapp Installer is a software package management tool that allows you to add/install any third-party application into the iPhone. It includes an "Installer" icon on the main iPhone screen for easy access to the software community repositories. Additionally, during the hack process the TIFF image-rendering library vulnerability is fixed (you're now more secure :) ), and YouTube is fixed too.

BTW, this jailbreaking process also works on the iPod Touch. When writing this portion of the guide I found a video covering exactly this step. The specific set of actions is slightly different but gives you an idea of how it should look like.

Some of the alleged reasons argued by Apple not to allow third-party applications are the potential loss of quality and instability on the device, as well as the security risk of getting malware. I agree that "untrusted" and external code can cause this issues, but users demand flexibility at the cost of it. Anyway, this is changing with the currently available WebApps and resources for developers, plus the upcoming native application development kits (Feb'08?).

At this point, you have jailbroken and activated the iPhone, version 1.1.1, and you are ready to jump to the last step, STEP 4, in order to upgrade to version 1.1.2 and re-activate the iPhone.

Labels:

4 Comments:

Blogger Unknown said...

Please help!
I did everything u guys have said n everything went right untill started upgrading it back to 1.1.2 and it has been now upgrading for the past 2 hours and it still says preparing iphone for software update, my phone has rebooted about 6 times! What shud I do now????
Thanx....

12:56 PM  
Blogger Raul Siles said...

Hi Viren,
If you're upgrading to 1.1.2, I guess you're in STEP4.
Please, provide us more details by e-mail (not to overload the Blog comments section) about what specific action you're from STEP4.

Thanks!

6:41 PM  
Anonymous Anonymous said...

Hi guys,
Thanks for the great tutorial. I managed to get to step 7. I couldn't connect to http://jailbreakme.com through safari. I even tried the ip address (208.75.87.234). I got the following error message "safari could not open the page because the server stopped responding".

I checked my wireless router (Dlink DI-524) 802.11g/2.4GHz. I checked and the router supposedly supports both 802.11b and 802.11g.

Only problem I can think of was the WEP security it had on the wireless. So I turned that off. I tried repeating step 6 so that I can get back to the "prefs://1F" IPhone's setting page to remove the security passcode.

I can get to the activation screen, but when I slide the "Slide for emergency" button, I get to the number pad and the screen just dims and all buttons get disabled. Pressing the home button brings me back to the activation screen. I've tried this many times but to no avail.

Do you guys know what is wrong? please help.

Thanks in advance!

10:02 AM  
Blogger Raul Siles said...

Hi Choon,
Please, try to check if you can reach the same URL from a different device, such as a computer, using the same wireless network. The wireless security settings shouldn't be a problem, as the iPhone can manage most: open, WEP, WPA & WPA2.

Please, send further questions through e-mail not to overload the Blog comments section. Thanks!

12:57 AM  

Post a Comment

<< Home