Guide to upgrade the iPhone to 1.1.3 - Securing your 1.1.2 OTB iPhone

Apple released the iPhone 1.1.3 firmware version on January 2008. From a security perspective and according to Apple, the iPhone 1.1.2 presents a few vulnerabilities:

• A memory corruption issue in Safari's handling of URLs may cause arbitrary code execution. If you browse to a maliciously crafted URL, you are iP0wn3d! (DoS exploit publicly available in milw0rm).
  
• An incorrect handling of emergency calls allows users with physical access to the iPhone to launch an application avoiding the passcode lock screen.
• Safari presents a XSS (cross-site scripting) vulnerability in the WebKit component. Visiting a maliciously crafted web page may lead to the disclosure of sensitive information.

Continuing the iPhone series, once your iPhone 1.1.2 OTB has been activated and jailbroken, thanks to the iPhone Dev Team there is a new method to upgrade to 1.1.3 and stay secure. This post covers the easier option, that is, using the "Installer" to directly upgrade from the iPhone without requiring a PC (however, you need a WiFi connection to connect to the Internet). There are other methods for Windows and Mac too.

NOTE: All the third-party applications you previously installed will disappear from Springboard. You will need to reinstall them after the 1.1.3 upgrade. Some capabilities will break, as this "hack" is pretty new, so stay tuned on the Internet (Blogs, forums, etc) for fixes. Most probably, this is the last post about general iPhone hacks in the RaDaJo blog; only security topics will be posted in the future.

You need to be very careful adding new "Installer" sources, as an buggy or malicious software package install can render your iPhone useless... iBrick! If this happens to you, you can repeat the whole jailbreak process going back to 1.1.1. At this point, after following the whole jailbreak guide, the only sources available should be:

• AppTap: AppTapp Official (NullRiver).
• Community Sources: Conceited Software, ModMyiFone.com and Ste Packaging.
• Makayama Software (if you tried to install the iSIM software tool).
  

Prerequisites:

• You need to start with an activated and jailbroken 1.1.2 iPhone. Check the guide to do it!
• You need to install the BSD Subsystem v2.0, as we did when we enabled the phone capabilities. You can check the version from "Installer" by selecting the "Uninstall" button.
  
• Disable the lock timeout, as we already did on STEP 3 of the 1.1.2 guide: Go to "Settings", select "General" and the "Auto-Lock" option. Set the value to "Never".
• Go to "Installer" and select the "Update" button. You need to use "Installer" version 3.0. Previous versions won't work.
  
• Establish a connection with your WiFi network to get Internet access.

Steps to upgrade to version 1.1.3:

• Go to "Installer" and select the "Install" button. Go to the "System" category and install the "Official 1.1.3 Upgrade". At this time it is version 1.1.3-3. Click on "Install" twice.
• As indicated by the message, exit "Installer" and run "Upgrade" from the Springboard.
• The process asks if you want to use hacktivation and patch lockdownd. Answer "Yes" in order to be able to use the phone capabilities with the hardware SIM hack (iPhone 1.1.2 OTB has the 4.6 bootloader and it can only be unlocked using a SIM hardware hack at this time).
  
• Then, it asks if you want to completely restore your device, deleting all data. It is recommended to answer "Yes" to avoid any software conflicts between versions (backup first!), although I answered "No" to check what applications and data survived. All data should be there (music, videos, etc) and the applications are still installed but not referenced from Springboard.
  
• The iPhone now downloads the 1.1.3 firmware version from Apple and performs the appropriate hacks. You get a progress banner on the iPhone. This process takes lot of time, around 30-60 minutes.
• The last step shows a "Attempting to Reboot iPhone" message. If it is there for more than 15 minutes without rebooting, hold down the Power and Home buttons until the phone shuts down. Then hold down the Power button to turn the iPhone back on, a process that will take a few minutes.
  
• When the process completes, the iPhone reboots and runs firmware 1.1.3!! The baseband version is not modified using this procedure.
  

If during the upgrade, you answer "No" to the first hacktivation question (as I did), then you need to patch lockdownd manually. If not, iTunes will generate an error message and the iPhone remains in an unactivated state. Download the patched lockdownd version and transfer it to the iPhone through SSH: "scp lockdownd root@10.0.0.100:/usr/libexec/" (before this, make a backup copy of the previous lockdownd version). Verify that the file permissions are 555. You can reboot the iPhone and it will be active now.

One of the first recommended actions is to update the "Installer" sources. Go to "Installer", select the "Install" button and go to the "Sources" category. Install the "Community Sources", version 3.3 at this time. By default, the sources list only contained the "AppTapp Official" entry. New applications for 1.1.3, such as "Tweaks (1.1.3)", are populated on the list of available packages, and four new entries are added to the sources list.

Go to "Settings", then "General" and "About" to check that the "Version" now is "1.1.3 (4A93)" while the "Modem Firmware" is still "04.02.13_G". The 1.1.3 version includes new features, that you could be simulated in 1.1.2, although now are already on your device:

• The first thing you notice is that it notifies you about "Edit Home Screen" capabilities. You can now rearrange icons on the Springboard.
• The new Google Maps Faux-GPS, based on triangulating your location using the mobile cell towers, doesn't work because the baseband is not updated during the process. Go to "Installer", "Install" button, "All Packages", search and install "Navizon GPS" (currently version 1.1.4). Create an account in "Navizon" to use the location service, and when it locates you once, you are ready to use the Google Maps Faux-GPS (sometimes you need to set Navizon's "Invisible" switch to "Off").
• You can now send SMS messages to multiple users simultaneously.
  

The previous activation and hardware-based unlock (based on the iSIM card) work perfectly with the new 1.1.3 version. iWorld must not be reinstalled. All capabilities work as they did on 1.1.2, except some of the previously installed third-party applications, plus a few well-known bugs, because now the Springboard runs as "mobile" and not as "root" (good security improvement):

• You need to refresh the sources on "Installer" and reinstall previous software packages. Although at this point you can access the iPhone through SSH and run standard Unix commands, it is recommended to reinstall at least the BSD Subsystem and the OpenSSH server.
  
• Reinstall the "BSD Subsystem" by going to "Installer", use the "Install" button, go to "System", and select and install the "BSD Subsystem" (v2.0). This fixes some VT100 terminal display issues (like backspaces not showing properly).
  
• OpenSSH is a crucial service to manage your iPhone. It can be reinstalled by going to "Installer", select "System" and install "OpenSSH" (currently v.4.6p1-1). There is no icon on the Springboard on 1.1.3 to disable the service, and the device has the default password (root/alpine) :(
  
• You cannot use the Unix "passwd" command to change the password on 1.1.3, as it is broken. Don't even try! You get a message indicating this when you install the BSD Subsystem. Replace the passwd command by uploading this file to the "/usr/bin" iPhone directory (rename it from passwd113 to passwd). Make a copy of the previous passwd file. Change the new file permissions to 755: "chmod 755 /usr/bin/passwd". Now, you can run "passwd" to change the default password from a SSH terminal.
  
• The recommended SSH management tool is called "BossPrefs". Go to "Installer", then select the "Install" button, "All Packages" and install "BossPrefs" (v1.53). It provides capabilities to enable/disable the SSH server and even set its state when the iPhone restarts (through the "Config" menu).
  
• Set up the iPhone to the appropriate timezone. If you go to "Settings" and "Date & Time", when you change the "TimeZone" the "/var/db/timezone/localtime" file is recreated. The directory is now owned by root, but the "Settings" application runs as "mobile", so it cannot recreate it. Change the directory permissions to 777: "chmod 777 /var/db/timezone".
• Re-add the Makayama repository is you want to manage contacts with the iSIM tool.
  

NOTE: The current 1.1.3-3 update fixes several issues of the previous 1.1.3 jailbreaks. There is a similar 1.1.3 method available from Nate True's (FAQ), however, it seems it could present some issues, so the latest Dev Team's (-3) method is the recommended method. More bugs, fixes and 1.1.3 jailbreak versions will appear. From now on, Google is your friend! ;)

Some final iPhone hacking news: Apple's applications signature key required by "official" iPhone third-party applications has leaked, and the iPhone 1.1.3 SDK framework documentation is available.