Closed GoogleCodeExporter closed 8 years ago
[deleted comment]
Ok i'm sure that it's not possible to view an ipod touch 2G in windows explorer
with or without itunes
installed. However previous ipods have the abilty to enable disk mode in
itunes. And for the backup it is
vertified by the sigmature.and also That's NOT a stupid thought don't be scared
to post an idea like that.
I don't know for sure i don't know that for a sure fact anyway.
Original comment by Kalidmoh...@gmail.com
on 28 Dec 2008 at 3:57
For one thing, apple would never enable disk mode after a bunch of exploits.
Either
way even if it was somehow possible to patch your drivers and read the
ipod/iphone
information, Apple would easily patch the hack. That's why all current hacks
should
be an exploit in the hardware. The TIFF exploit got patched really easily
because of
how vulnerable it was.
Original comment by sloppy...@gmail.com
on 28 Dec 2008 at 9:20
in response to your comments: Thankyou for the encouragement. I used to be into
hacking the psp and I
can tell you that the crowd that post replies on pap forums are not so nice (in
general) LOL. I can
understand that apple would be keen to disallow disk view as it could lead to
piracy in games from the app
store however all I know for sure is that iTunes has access to the disk. When I
next get to a computer I will
try taking some parts of iTunes apart with reshacker. As I am inexperienced
this will probably gain little.
Somehow itunes can make a connection to the iPods disk for syncing so if we can
somehow find a way to
access the iPods disk and therefore give a great oppertunity for an exploit.
My other thought was that there
are other programs that can allow syncing of the iPod without using itunes.
Could these be of any use to the
hackers? As I have said, I know little about programming however I have picked
up quite a lot of useful
experience in this kind of thing. I really am not criticising chronicdev but
maybe they are looking into far
more advanced iPod territory than is necessary. Keep up all your good work
though chronicdev as it will be
great for a jailbreak to be released. Alex
Original comment by malagut...@gmail.com
on 28 Dec 2008 at 9:56
I use to hack psp's for 3 yrs and i'm quite known for it :). you most likley
can not reshack itunes as it is
encrypted resource, as for the connection between itunes and the ipod touch i'm
sure your right that could
be an exploit. BUT what i do know is that itunes does not install the apps all
it does is transfer them and
have the ipod install it and report the failure to itunes. Although there is a
unique connection itunes has
because of the transfer of the apps to the ipod. Which we don't have!! I don't
know much about programing
either i'm only 16
Original comment by Kalidmoh...@gmail.com
on 28 Dec 2008 at 10:34
I can see your point + im only 14 :-)
It makes sense for the ipod to install the data when it has been transferred
through
itunes. That can let the ipod approve any codes. If they were approved on a
computer which can be freely disected then apple would be a bit screwed.
As i have been writing this i have taken apart itunes.exe with reshacker and
have
found something interesting. The following script is located in the "24"
section in
the itunes.exe file:
<!-- Set application to run with user privilege but no virtualization. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="false"
/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Maybe i am wrong but this seems like the way in which privillages are selected.
Could we change this. I am not sure and i will stand corrected but where it
says
uiAccess="false" could this be an oppertunity to gain higher privilages with
itunes?
I will backup my itunes library and i will try changing the value to true and scan a
bit more closely through some of the other files.
Alex
Original comment by malagut...@gmail.com
on 29 Dec 2008 at 10:02
Did some research on uiacess="true" and found the following on
http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programme
r.ui/2007-01/msg00097.html
"Since UIAccess=true apps can bypass the process isolation boundaries, we
put two extra requirements on them before they will be launched by the O/S"
This is relating to another situation but could this possible allow us to
"bypass the
process isolation boundaries"? I am not 100% on the meaning of that however
bypassing anything that apple blocks must be a bit of a step forward.
Alex
Original comment by malagut...@gmail.com
on 29 Dec 2008 at 10:12
ohh I then found this following the above quote:
1) They are Authenticode signed with the signing cert chaining to a cert in
the machine's trusted root store
2) the application sits in a protected system location (like under \program
files or under \windows\system32)
Useful? It would be great if one of the chronic dev guys would give me a
thumbs up
or down if i am on the right track.
Original comment by malagut...@gmail.com
on 29 Dec 2008 at 10:14
It's good to see that this issue is being worked on seriously, and cheers to
malagutial for not being like those *other* issues, where nonsense is placed
first,
and complaints second.
HAIL TO CHRONICDEV!!!
Original comment by nintendo...@gmail.com
on 29 Dec 2008 at 12:18
malagutial : you are losing your time here I guess.
The problem is simple :
- The ipod touch V2 will only accept applications that are signed with a legit
certificate : a database of legit certificate is installed in the ipod itself.
Certificates rely on RSA public/private keys mecanism. It is proved to have no
flaws.
- the îpod touch V2 will only install a firmware crypted with the right key.
We do
not know it. It is secret : known only by Apple. There are no known ways to
discover it.
To summurize :
- The ipod touch V2 firmware is not modifiable at all for the moment.
- The current firmware won't accept non legit apps.
So, you can try to search in every bytes of ITunes, you won't be able to change
this
situation.
If there is a flow, it is in the ipod touch firmware. This is where to search
and
this is where Chronicdev is searching.
I have a question after reading my post :
- is there a way to add certificates into the database of trusted certificates ?
How iPhone developers can test their apps on their own iPhones after paying 99$ ?
The certificate they use is self-made or it is made by Apple ?
-> I know that is possible to add wifi (TLS) certificates into the ipod touch
with an
entreprise app : iPhone Configuration Utility.
-> iPhoneBrowser/iRecovery can modify some files into the ipod filesystem
Thanks for all your usefull reversing Chronic. We are all behind you. Keep it
up !
Original comment by cyril.ca...@gmail.com
on 29 Dec 2008 at 12:49
Hey there,
i've searched for a while last days ago about jailbraking 2G and finally
stumbled here.
I think it's a nice thing to make the dev public like this. Show everybody what
ur
working on and give space for user-thoughts (if you read it at all ;) ). Perhaps
you're getting on the right idea on this way.
Now you guys here have very good ideas. Now I'll add mine ;) Dont know much
about
jailbreaking and seeking exploits but the problem is the WAY, so:
1)What about copying certificates on "homebrew"? So the iPod thinks its an
original
2)Searching Apps for exploits or do they have no access on firmwarefiles(some
Apps
writes logfiles on ipod/iphone)?
3)does the firmware-package install itself on ipod/iphone when its transfered
to it
like Apps?
or does itunes opens access to flashmemory an write the files directly on updating?
4)Securityholes by firmware itself? like a way to simulate an incoming update
but
instead of writing the original files, use another source
And one last personal question:
Is this an mean project? So another crew concentrate on iPod touch-jailbreaking
cause
The DevTeam only developes on iPhone? if so, GO ON GUYS! and dont get disturbed
with
things like Issue I + II
Original comment by knighToF...@gmail.com
on 29 Dec 2008 at 1:55
What i am tryong to say is itunes does have a unique connectikn with the ipod
touch that we currently dp
not havw right now. For example when you sync the ipod touch tells you it syncs
and itunes can actuly
transfer the l apps and wait for the ipod touch to vertify and install it. It
is obously an encrypted connection.
Sorry for my spelling errors + are you really 14 you know alot i thought you
were 19 + how old is chrono??
Just curious cause of his knowledge.
Original comment by Kalidmoh...@gmail.com
on 29 Dec 2008 at 4:22
Cyril, thanks for your comment. it makes sense and i suppose there maybe is no
exploit there. What i am
sure of is that somewhere in the registry of our computers or inside hidden
files deep within the system there
is an exploit. With PCs and Macs we have the ability to do far more than the
itouch allows us to so if there is
an exploit, the easiest place to find it would be using the computer.
Question. when an app is downloaded to your computer from the app store, is
the code unique for every
ipod. I know this is what sony did with the psps. Also are you sure that the
codes are compared to a list
inside the ipod because they could be mathematically generated. You know when
you have a number there
must be a letter followed by two numbers higher, that sort of thing. If that
was the case could we have a look
at the list in the 1st gen (if there is one) and create a keygen. If anyone
knows how.
Kalidmohomed, i am 14 and also i am not part of chronicdev so i dont know how
old chrono is. Sorry. I
would expect he is an adult though :-p
Alex
Original comment by malagut...@gmail.com
on 30 Dec 2008 at 9:22
"itunes does have a unique connectikn with the ipod touch that", Its hard to
explain,
But the reason ircovery and iphone browser work is that they are using Files
that
were originaly built for iTunes and calling the hidden functions of these
files(aka
DLL's). its easyer to understand if you have programming expirnace but you will
find
none of these tools work without itunes becuase thats what powers them. itunes
dosent
Willfully let them but Dll + a few tools = Guess hidden Functions names ect
ect..
which then a 3rd party appplication can exploit.
Original comment by storm...@gmail.com
on 30 Dec 2008 at 9:50
Ps reshack will not help at ALL. unless its with modifying the firmware.
Reshack is
to modify "resources" within an application it will not help to exploit
something.
merely let you modify the way things look. a common use of it for eg was to
extract
msn styles to modify them..
Original comment by storm...@gmail.com
on 30 Dec 2008 at 9:56
I think it would be a great insight for all people, before they make
suggestions, to watch
http://video.google.com/videoplay?docid=713763707060529304 at google videos,
which talks about how
the iPhone dev team hacked the iPhone, as ultimately it is the same Operating
System. Don't bother watching
the Baseband bit, but watch from 2:56 (Hacking the Applications Processor) to
23:00 ('That's basically where
we are')
I know this is twenty minutes of your life, but understanding these things
could help form ideas that might
have some feasibility.
Notice how everything code checks everything, and apps run as 'mobile', not
'root' (7:39 and 9:20), so cannot
access other parts of the system.
Original comment by simon.ho...@gmail.com
on 30 Dec 2008 at 1:54
Ok then i know this is a stupid question but i'm gonna ask it anyway.
What exactly is chronic dev searching for and doing right now?
Malagutial: don't worry about it i was just curious it's not a big deal.
Original comment by Kalidmoh...@gmail.com
on 30 Dec 2008 at 2:39
I got a unique idea, since finding a exploit for the iPod Touch 2g firmware is
too
hard at the moment, try finding a way to put apps that are unregistered (apps
from
Appulo.us) on the iPod. find a way to verify them for the iPod. smaller file =
less
code to figure out.
Original comment by guita...@yahoo.com
on 30 Dec 2008 at 2:45
no man.. all the sig-checking code resides on the ipod itself so they have to
look
into the ipod and it's software/firmware to find a way through.
the cert that is attached to the .app file is obvio unique to that file and has
information about the file.. like hash values.. keys.. CRC stuff.. it does
sound easy
to do . but i'm sure that the guys are/have already looked into that... :)
Original comment by dhruvja...@gmail.com
on 30 Dec 2008 at 5:49
Wow, looks like Apple went through a lot to prevent pirated apps and a
jailbroken ipod touch.
They must of been pissed and lost alot of money with the original ipod touch.
Wonder how much they spent on the security system for the 2G Ipod touch. cause
i's almost been 4 months
and it's still not jailbroken.
Original comment by Kalidmoh...@gmail.com
on 30 Dec 2008 at 7:47
I was wondering if you could do a buffer overflow exploit with a modified
picture
like they did with the PSP because i have Windows 7 installed and it recognizes
my
Itouch 2g as a camera and i can open all my pictures.
Original comment by mshanno...@gmail.com
on 30 Dec 2008 at 9:16
Ok, I've read about 90% of the comments here and though I'd throw in my 2 cents
worth, but I guess I'm also asking a question with it.
If the problem is that the connection between iTunes and the touch and it being
transfered, then why not send a legit app? This may seem sort of like a
suicide
attempt, but if someone had the dev. kit for the touch apps and made an app
that
could return data about the firmware or even possible inplant some sort of
trojan
onto the touch and let it search it's way around.
Now this is all from an unexperienced hacker, I'm just trying to look at all
this
from a logical sense.
Also, I just want to give thanks to the dev team for putting so much effort and
work
behind jailbreaking the 2G.
Original comment by NobleRoo...@gmail.com
on 30 Dec 2008 at 10:09
Yea, couldn't we possibly put some kind of a hidden picture virus in that
picture
folder And then rename the ipod touch picture with a JPG extension so that virus
could modify with the Ipod touch when it disconnects. Because the ipod touch is
recognized as a camera.
Original comment by Kalidmoh...@gmail.com
on 30 Dec 2008 at 10:12
how about trying to litterly go straight through it lik instead of editing the
firmware to gicve u 2 new programs
(cydia and installer) edit lik the regular app store and add a new app.
Original comment by evANG...@aim.com
on 30 Dec 2008 at 10:27
Again, see comment 16. Local applications are signed, so editing them would
render the signatures incorrect
and would stop them working. Also, they run as a NON ROOT user, so are unable
to edit the system.
Original comment by simon.ho...@gmail.com
on 30 Dec 2008 at 10:33
Just thought I would look around using Visual Studio 2008 at some random apps.
I
found something that may or may not be of some help:
Payload/Night Stand.app/green9.png
It looks like the apps might be stored in some directory called Payload. Not
sure if
this is any help, but just throwing it out there.
Also, is there some sort of program to view files in the touch?
Original comment by NobleRoo...@gmail.com
on 30 Dec 2008 at 10:34
Ok, so I'm watching the video in comment 16 and I see what you're talking about
hollingshead.
I'm gonna watch the rest of the vid and see what I can come up with.
Original comment by NobleRoo...@gmail.com
on 30 Dec 2008 at 10:46
jailbreaking an ipod has much more to do with the files that are accesible from
windows explorer. basically, what you're doing when you're jailbreaking an ipod
is
finding an exploit (a way to bypass security measures in a devices coding) in
the
ipod's boot loading scripts.
these bootloaders are sometimes visible through windows explorer, depending on
the
device, but newer devices (such as the ipods and iphones) have the bootloaders
tucked
into their firmware.
currently, chronic dev has figured out some of the ways that the booting scripts
function, and the level of security that apple has put on them. basically what
needs
to be done is the team needs to find a "hole" in the bootloading script that
would
allow them to insert new scripts that the ipod wouldn't normally accept. this is
simply a process that takes time and testing. it's possible that an exploit
could be
found in the bootloader, or it's possible hardware changes would have to take
place
to jailbreak the ipod. it's just a matter of time and effort. unless you have
experience with apple devices + their software language, the best way to help
the
team is to make a donation.
Original comment by mgil...@gmail.com
on 31 Dec 2008 at 5:11
I think what needs to happen is a internal hardware flaw needs to be found. If
they
find one then it will allow them to create a jailbreak. All of you have
probably
just read my first two scentences and thought completely the opposite however,
if
they can create a jailbreak on 1 ipod regardless of the way they do it, they
can
script a program to work on all unjailbroken ipods (2g)which will allow a soft
mod.
This is all theoretical as it assumes that they will be able to gain access to
the
codes apple use to allow signed or unsinged sigs.
Alex
Original comment by malagut...@gmail.com
on 31 Dec 2008 at 9:08
Original comment by will.chr...@gmail.com
on 31 Dec 2008 at 4:36
Hi, I have read most of the posts about using *legit* applications to find a
jailbreak. So why not, Before i start my idea can i just say i have hardly any
knowledge hacking.
1. Get some to create a *good* free game for the iPod Touch.
2. Have the game have a hole in it somewhere so you can get inside the ipod
using the
application?
3. I doubt apple try and hack there own iPod's when every game is submitted and
maybe
word could get round and you could download it and tada.
Sorry if this is just stupid but i thought i would voice my thoughts :D
Good Luck Chronic Dev
Ben
Original comment by fatshark...@gmail.com
on 31 Dec 2008 at 4:47
fatshark.ben: Again, Comment 16 - applications run in a sandbox as a low
permission user and have no access
to the system. Without root, you can't get 'into' it.
Original comment by simon.ho...@gmail.com
on 31 Dec 2008 at 5:11
what does mean Status:Done??
Original comment by carlosfd...@hotmail.com
on 31 Dec 2008 at 5:57
It means that this "issue", really isn't an issue and its been taken care of..
it
DOESN'T mean the jailbreak has been done.. only the status of the so-called
issue has
been set to "done". This issue has not been moderated by will.chronic so, DON'T
consider this as official news from the DevTeam.
Original comment by dhruvja...@gmail.com
on 31 Dec 2008 at 9:19
so there is no longer a problem finding an exploit and chronic is closer to the
jailbreak?
Original comment by rocky...@gmail.com
on 31 Dec 2008 at 9:28
so the jailbreak is almost done because the last two things were finding an
exploit
I'm i right???
Original comment by carlosfd...@hotmail.com
on 31 Dec 2008 at 10:14
"almost done"? lol, good luck finding an exploit :P
but i'm guessing once somebody finds an exploit, the jailbreak is near
Original comment by gimme.le...@gmail.com
on 1 Jan 2009 at 12:55
It could just be that the Dev team is tired of all our annoying comments in
this
issue. :/
Original comment by NobleRoo...@gmail.com
on 1 Jan 2009 at 12:57
and i dont think anyone from the chronic team has found an exploit, or else it
would
have been announced
Original comment by gimme.le...@gmail.com
on 1 Jan 2009 at 12:57
I love to help you but I don't know how but why it's taking your time montes to
hack it please if you are able
hack it or help us to put the craked apps on it please thanks for help my email
is farza69@gmail.com
Original comment by Farza69@gmail.com
on 1 Jan 2009 at 10:14
could be rooster, lol, just dont rush them, i think they know what they are
doing.
Original comment by gimme.le...@gmail.com
on 1 Jan 2009 at 1:38
ok if anyone on the chronic dev team is on help me or anyone who knows how.
i want to try nd help find the exploits wht do i have to do or need to help
Original comment by maplesto...@live.com
on 1 Jan 2009 at 6:07
I support this dev team 100%!!!
Original comment by coenisco...@gmail.com
on 1 Jan 2009 at 7:56
me to
Original comment by maplesto...@live.com
on 1 Jan 2009 at 7:59
Maybe accessing like root user... from booting
Original comment by rodri1...@gmail.com
on 1 Jan 2009 at 8:10
howd u do tht
Original comment by maplesto...@live.com
on 1 Jan 2009 at 8:14
I konow Chronic dev has a lot to do but i want to know wehn they were finish
their
work ... I realy want to jailbreak this motherfuckin´ iPod touch 2g ... pls
give me
an answer :`(
Original comment by TimoAd...@hotmail.de
on 1 Jan 2009 at 8:29
Chronic may never found an exploit. Be prepared of that. The jailbreak is still
far
away as I understand when I am reading this wiki.
Original comment by cyril.ca...@gmail.com
on 1 Jan 2009 at 8:42
well, if you guys want to help, then go find some security holes in the 2g :P
Original comment by gimme.le...@gmail.com
on 1 Jan 2009 at 10:47
lol =)
Original comment by coenisco...@gmail.com
on 1 Jan 2009 at 10:49
Original issue reported on code.google.com by
malagut...@gmail.com
on 28 Dec 2008 at 9:36