Finding an exploit.

[GoogleCodeExporter]

ChronicDev Team,

I have been thinking of any way that would allow you to get inside the ipod
on a windows or mac computer.  I am using windows so here is my idea:
If you could find a way to open the ipod in windows explorer through my
computer.  There may be some files that could help you.  The ipod already
allows you to view a downloaded pictures folder through my computer but the
rest of the ipod is invisible.  I accidentally achieved this when i was
browsing through a friends ipod and had no experience with them.  I did not
install itunes but i installed the ipod and i saw all of the ipods system
files through my computer.

My other thought was if there was any way of modifying the backed up data
in c:\Documents and settings\USERNAME\application data. (that is on a
windows PC obviously).  Would it be possile to add some extra files in to
the backed up data then restore the ipod with a modified backup.  

I am not a very experienced hacker so please dont just laugh in my face. 
Your team are working towards a jailbreak in the Ipod Touch 2g and i just
hope i can help.

Thanks for your time,

Alex

Original issue reported on code.google.com by malagut...@gmail.com on 28 Dec 2008 at 9:36

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Ok i'm sure that it's not possible to view an ipod touch 2G in windows explorer 
with or without itunes 
installed. However previous ipods have the abilty to enable disk mode in 
itunes. And for the backup it is 
vertified by the sigmature.and also That's NOT a stupid thought don't be scared 
to post an idea like that.

I don't know for sure i don't know that for a sure fact anyway.

Original comment by Kalidmoh...@gmail.com on 28 Dec 2008 at 3:57

[GoogleCodeExporter]

For one thing, apple would never enable disk mode after a bunch of exploits. 
Either
way even if it was somehow possible to patch your drivers and read the 
ipod/iphone
information, Apple would easily patch the hack. That's why all current hacks 
should
be an exploit in the hardware. The TIFF exploit got patched really easily 
because of
how vulnerable it was. 

Original comment by sloppy...@gmail.com on 28 Dec 2008 at 9:20

[GoogleCodeExporter]

in response to your comments: Thankyou for the encouragement. I used to be into 
hacking the psp and I 
can tell you that the crowd that post replies on pap forums are not so nice (in 
general) LOL. I can 
understand that apple would be keen to disallow disk view as it could lead to 
piracy in games from the app 
store however all I know for sure is that iTunes has access to the disk. When I 
next get to a computer I will 
try taking some parts of iTunes apart with reshacker. As I am inexperienced 
this will probably gain little. 
Somehow itunes can make a connection to the iPods disk for syncing so if we can 
somehow find a way to 
access the iPods disk and therefore give a great oppertunity for an exploit.  
My other thought was that there 
are other programs that can allow syncing of the iPod without using itunes. 
Could these be of any use to the 
hackers? As I have said, I know little about programming however I have picked 
up quite a lot of useful 
experience in this kind of thing. I really am not criticising chronicdev but 
maybe they are looking into far 
more advanced iPod territory than is necessary.  Keep up all your good work 
though chronicdev as it will be 
great for a jailbreak to be released.                        Alex

Original comment by malagut...@gmail.com on 28 Dec 2008 at 9:56

[GoogleCodeExporter]

I use to hack psp's for 3 yrs and i'm quite known for it :). you most likley 
can not reshack itunes as it is 
encrypted resource, as for the connection between itunes and the ipod touch i'm 
sure your right that could 
be an exploit. BUT what i do know is that itunes does not install the apps all 
it does is transfer them and 
have the ipod install it and report the failure to itunes. Although there is a 
unique connection itunes has 
because of the transfer of the apps to the ipod. Which we don't have!! I don't 
know much about programing 
either i'm only 16 

Original comment by Kalidmoh...@gmail.com on 28 Dec 2008 at 10:34

[GoogleCodeExporter]

I can see your point + im only 14 :-)  
It makes sense for the ipod to install the data when it has been transferred 
through
itunes.  That can let the ipod approve any codes.  If they were approved on a
computer which can be freely disected then apple would be a bit screwed.
As i have been writing this i have taken apart itunes.exe with reshacker and 
have
found something interesting.  The following script is located in the "24" 
section in
the itunes.exe file:

<!-- Set application to run with user privilege but no virtualization. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
        <requestedPrivileges>
            <requestedExecutionLevel
                level="asInvoker"
                uiAccess="false"
            />
        </requestedPrivileges>
    </security>
</trustInfo>

</assembly>

Maybe i am wrong but this seems like the way in which privillages are selected. 
Could we change this.  I am not sure and i will stand corrected but where it 
says
uiAccess="false" could this be an oppertunity to gain higher privilages with 
itunes?
 I will backup my itunes library and i will try changing the value to true and scan a
bit more closely through some of the other files.

Alex

Original comment by malagut...@gmail.com on 29 Dec 2008 at 10:02

[GoogleCodeExporter]

Did some research on uiacess="true" and found the following on
http://www.tech-archive.net/Archive/Development/microsoft.public.win32.programme
r.ui/2007-01/msg00097.html
"Since UIAccess=true apps can bypass the process isolation boundaries, we
put two extra requirements on them before they will be launched by the O/S"

This is relating to another situation but could this possible allow us to 
"bypass the
process isolation boundaries"?  I am not 100% on the meaning of that however
bypassing anything that apple blocks must be a bit of a step forward.

Alex

Original comment by malagut...@gmail.com on 29 Dec 2008 at 10:12

[GoogleCodeExporter]

ohh  I then found this following the above quote:

1) They are Authenticode signed with the signing cert chaining to a cert in
the machine's trusted root store
2) the application sits in a protected system location (like under \program
files or under \windows\system32)

Useful?  It would be great if one of the chronic dev guys would give me a 
thumbs up
or down if i am on the right track.

Original comment by malagut...@gmail.com on 29 Dec 2008 at 10:14

[GoogleCodeExporter]

It's good to see that this issue is being worked on seriously, and cheers to
malagutial for not being like those *other* issues, where nonsense is placed 
first,
and complaints second.

HAIL TO CHRONICDEV!!!

Original comment by nintendo...@gmail.com on 29 Dec 2008 at 12:18

[GoogleCodeExporter]

malagutial : you are losing your time here I guess.

The problem is simple :
- The ipod touch V2 will only accept applications that are signed with a legit
certificate : a database of legit certificate is installed in the ipod itself.
Certificates rely on RSA public/private keys mecanism. It is proved to have no 
flaws.
- the îpod touch V2 will only install a firmware crypted with the right key. 
We do
not know it. It is secret : known only by Apple. There are no known ways to 
discover it.

To summurize :
- The ipod touch V2 firmware is not modifiable at all for the moment.
- The current firmware won't accept non legit apps.

So, you can try to search in every bytes of ITunes, you won't be able to change 
this
situation.
If there is a flow, it is in the ipod touch firmware. This is where to search 
and
this is where Chronicdev is searching.

I have a question after reading my post :
- is there a way to add certificates into the database of trusted certificates ?
  How iPhone developers can test their apps on their own iPhones after paying 99$ ?
  The certificate they use is self-made or it is made by Apple ?
-> I know that is possible to add wifi (TLS) certificates into the ipod touch 
with an
entreprise app : iPhone Configuration Utility.
-> iPhoneBrowser/iRecovery can modify some files into the ipod filesystem

Thanks for all your usefull reversing Chronic. We are all behind you. Keep it 
up !

Original comment by cyril.ca...@gmail.com on 29 Dec 2008 at 12:49

[GoogleCodeExporter]

Hey there,

i've searched for a while last days ago about jailbraking 2G and finally 
stumbled here.

I think it's a nice thing to make the dev public like this. Show everybody what 
ur
working on and give space for user-thoughts (if you read it at all ;) ). Perhaps
you're getting on the right idea on this way.

Now you guys here have very good ideas. Now I'll add mine ;) Dont know much 
about
jailbreaking and seeking exploits but the problem is the WAY, so:
1)What about copying certificates on "homebrew"? So the iPod thinks its an 
original
2)Searching Apps for exploits or do they have no access on firmwarefiles(some 
Apps
writes logfiles on ipod/iphone)?
3)does the firmware-package install itself on ipod/iphone when its transfered 
to it
like Apps?
    or does itunes opens access to flashmemory an write the files directly on updating?
4)Securityholes by firmware itself? like a way to simulate an incoming update 
but
instead of writing the original files, use another source

And one last personal question:
Is this an mean project? So another crew concentrate on iPod touch-jailbreaking 
cause
The DevTeam only developes on iPhone? if so, GO ON GUYS! and dont get disturbed 
with
things like Issue I + II

Original comment by knighToF...@gmail.com on 29 Dec 2008 at 1:55

[GoogleCodeExporter]

What i am tryong to say is itunes does have a unique connectikn with the ipod 
touch that we currently dp 
not havw right now. For example when you sync the ipod touch tells you it syncs 
and itunes can actuly 
transfer the l apps and wait for the ipod touch to vertify and install it. It 
is obously an encrypted connection.

Sorry for my spelling errors + are you really 14 you know alot i thought you 
were 19 + how old is chrono?? 
Just curious cause of his knowledge.

Original comment by Kalidmoh...@gmail.com on 29 Dec 2008 at 4:22

[GoogleCodeExporter]

Cyril, thanks for your comment.  it makes sense and i suppose there maybe is no 
exploit there. What i am 
sure of is that somewhere in the registry of our computers or inside hidden 
files deep within the system there 
is an exploit.  With PCs and Macs we have the ability to do far more than the 
itouch allows us to so if there is 
an exploit, the easiest place to find it would be using the computer.  
Question.  when an app is downloaded to your computer from the app store, is 
the code unique for every 
ipod.  I know this is what sony did with the psps.   Also are you sure that the 
codes are compared to a list 
inside the ipod because they could be mathematically generated.  You know when 
you have a number there 
must be a letter followed by two numbers higher, that sort of thing.  If that 
was the case could we have a look 
at the list in the 1st gen (if there is one)  and create a keygen.  If anyone 
knows how.

Kalidmohomed, i am 14 and also i am not part of chronicdev so i dont know how 
old chrono is.  Sorry.  I 
would expect he is an adult though :-p

Alex

Original comment by malagut...@gmail.com on 30 Dec 2008 at 9:22

[GoogleCodeExporter]

"itunes does have a unique connectikn with the ipod touch that", Its hard to 
explain,
But the reason ircovery and iphone browser work is that they are using Files 
that
were originaly built for iTunes and calling the hidden functions of these 
files(aka
DLL's). its easyer to understand if you have programming expirnace but you will 
find
none of these tools work without itunes becuase thats what powers them. itunes 
dosent
Willfully let them but Dll + a few tools = Guess hidden Functions names ect 
ect..
which then a 3rd party appplication can exploit.

Original comment by storm...@gmail.com on 30 Dec 2008 at 9:50

[GoogleCodeExporter]

Ps reshack will not help at ALL. unless its with modifying the firmware. 
Reshack is
to modify "resources" within an application it will not help to exploit 
something.
merely let you modify the way things look. a common use of it for eg was to 
extract
msn styles to modify them..

Original comment by storm...@gmail.com on 30 Dec 2008 at 9:56

[GoogleCodeExporter]

I think it would be a great insight for all people, before they make 
suggestions, to watch 
http://video.google.com/videoplay?docid=713763707060529304 at google videos, 
which talks about how 
the iPhone dev team hacked the iPhone, as ultimately it is the same Operating 
System.  Don't bother watching 
the Baseband bit, but watch from 2:56 (Hacking the Applications Processor) to 
23:00 ('That's basically where 
we are')

I know this is twenty minutes of your life, but understanding these things 
could help form ideas that might 
have some feasibility.

Notice how everything code checks everything, and apps run as 'mobile', not 
'root' (7:39 and 9:20), so cannot 
access other parts of the system.

Original comment by simon.ho...@gmail.com on 30 Dec 2008 at 1:54

[GoogleCodeExporter]

Ok then i know this is a stupid question but i'm gonna ask it anyway.
What exactly is chronic dev searching for and doing right now?

Malagutial: don't worry about it i was just curious it's not a big deal.

Original comment by Kalidmoh...@gmail.com on 30 Dec 2008 at 2:39

[GoogleCodeExporter]

I got a unique idea, since finding a exploit for the iPod Touch 2g firmware is 
too
hard at the moment, try finding a way  to put apps that are unregistered (apps 
from
Appulo.us) on the iPod. find a way to verify them for the iPod. smaller file = 
less
code to figure out. 

Original comment by guita...@yahoo.com on 30 Dec 2008 at 2:45

[GoogleCodeExporter]

no man.. all the sig-checking code resides on the ipod itself so they have to 
look 
into the ipod and it's software/firmware to find a way through.

the cert that is attached to the .app file is obvio unique to that file and has 
information about the file.. like hash values.. keys.. CRC stuff.. it does 
sound easy 
to do . but i'm sure that the guys are/have already looked into that... :)

Original comment by dhruvja...@gmail.com on 30 Dec 2008 at 5:49

[GoogleCodeExporter]

Wow, looks like Apple went through a lot to prevent pirated apps and a 
jailbroken  ipod touch.
They must of been pissed and lost alot of money with the original ipod touch.
Wonder how much they spent on the security system for the 2G Ipod touch. cause 
i's almost been 4 months 
and it's still not jailbroken.

Original comment by Kalidmoh...@gmail.com on 30 Dec 2008 at 7:47

[GoogleCodeExporter]

I was wondering if you could do a buffer overflow exploit with a modified 
picture
like they did with the PSP because i have Windows 7 installed and it recognizes 
my
Itouch 2g as a camera and i can open all my pictures.

Original comment by mshanno...@gmail.com on 30 Dec 2008 at 9:16

[GoogleCodeExporter]

Ok, I've read about 90% of the comments here and though I'd throw in my 2 cents 
worth, but I guess I'm also asking a question with it.

If the problem is that the connection between iTunes and the touch and it being 
transfered, then why not send a legit app?  This may seem sort of like a 
suicide 
attempt, but if someone had the dev. kit for the touch apps and made an app 
that 
could return data about the firmware or even possible inplant some sort of 
trojan 
onto the touch and let it search it's way around.

Now this is all from an unexperienced hacker, I'm just trying to look at all 
this 
from a logical sense.

Also, I just want to give thanks to the dev team for putting so much effort and 
work 
behind jailbreaking the 2G.

Original comment by NobleRoo...@gmail.com on 30 Dec 2008 at 10:09

[GoogleCodeExporter]

Yea, couldn't we possibly put some kind of a hidden picture virus in that 
picture
folder And then rename the ipod touch picture with a JPG extension so that virus
could modify with the Ipod touch when it disconnects. Because the ipod touch is
recognized as a camera.

Original comment by Kalidmoh...@gmail.com on 30 Dec 2008 at 10:12

[GoogleCodeExporter]

how about trying to litterly go straight through it lik instead of editing the 
firmware to gicve u 2 new programs 
(cydia and installer) edit lik the regular app store and add a new app.

Original comment by evANG...@aim.com on 30 Dec 2008 at 10:27

[GoogleCodeExporter]

Again, see comment 16.  Local applications are signed, so editing them would 
render the signatures incorrect 
and would stop them working.  Also, they run as a NON ROOT user, so are unable 
to edit the system.

Original comment by simon.ho...@gmail.com on 30 Dec 2008 at 10:33

[GoogleCodeExporter]

Just thought I would look around using Visual Studio 2008 at some random apps.  
I 
found something that may or may not be of some help:

Payload/Night Stand.app/green9.png

It looks like the apps might be stored in some directory called Payload.  Not 
sure if 
this is any help, but just throwing it out there.

Also, is there some sort of program to view files in the touch?

Original comment by NobleRoo...@gmail.com on 30 Dec 2008 at 10:34

[GoogleCodeExporter]

Ok, so I'm watching the video in comment 16 and I see what you're talking about 
hollingshead.

I'm gonna watch the rest of the vid and see what I can come up with.

Original comment by NobleRoo...@gmail.com on 30 Dec 2008 at 10:46

[GoogleCodeExporter]

jailbreaking an ipod has much more to do with the files that are accesible from
windows explorer. basically, what you're doing when you're jailbreaking an ipod 
is
finding an exploit (a way to bypass security measures in a devices coding) in 
the
ipod's boot loading scripts.

these bootloaders are sometimes visible through windows explorer, depending on 
the
device, but newer devices (such as the ipods and iphones) have the bootloaders 
tucked
into their firmware.

currently, chronic dev has figured out some of the ways that the booting scripts
function, and the level of security that apple has put on them. basically what 
needs
to be done is the team needs to find a "hole" in the bootloading script that 
would
allow them to insert new scripts that the ipod wouldn't normally accept. this is
simply a process that takes time and testing. it's possible that an exploit 
could be
found in the bootloader, or it's possible hardware changes would have to take 
place
to jailbreak the ipod. it's just a matter of time and effort. unless you have
experience with apple devices + their software language, the best way to help 
the
team is to make a donation.

Original comment by mgil...@gmail.com on 31 Dec 2008 at 5:11

[GoogleCodeExporter]

I think what needs to happen is a internal hardware flaw needs to be found.  If 
they 
find one then it will allow them to create a jailbreak.  All of you have 
probably 
just read my first two scentences and thought completely the opposite however, 
if 
they can create a jailbreak on 1 ipod regardless of the way they do it, they 
can 
script a program to work on all unjailbroken ipods (2g)which will allow a soft 
mod.  
This is all theoretical as it assumes that they will be able to gain access to 
the 
codes apple use to allow signed or unsinged sigs.

Alex

Original comment by malagut...@gmail.com on 31 Dec 2008 at 9:08

[GoogleCodeExporter]

Original comment by will.chr...@gmail.com on 31 Dec 2008 at 4:36

• Changed state: Done

[GoogleCodeExporter]

Hi, I have read most of the posts about using *legit* applications to find a
jailbreak. So why not, Before i start my idea can i just say i have hardly any
knowledge hacking.
1. Get some to create a *good* free game for the iPod Touch.
2. Have the game have a hole in it somewhere so you can get inside the ipod 
using the
application?
3. I doubt apple try and hack there own iPod's when every game is submitted and 
maybe
word could get round and you could download it and tada.

Sorry if this is just stupid but i thought i would voice my thoughts :D

Good Luck Chronic Dev

Ben

Original comment by fatshark...@gmail.com on 31 Dec 2008 at 4:47

[GoogleCodeExporter]

fatshark.ben: Again, Comment 16 - applications run in a sandbox as a low 
permission user and have no access 
to the system.  Without root, you can't get 'into' it.

Original comment by simon.ho...@gmail.com on 31 Dec 2008 at 5:11

[GoogleCodeExporter]

what does mean Status:Done??

Original comment by carlosfd...@hotmail.com on 31 Dec 2008 at 5:57

[GoogleCodeExporter]

It means that this "issue", really isn't an issue and its been taken care of.. 
it 
DOESN'T mean the jailbreak has been done.. only the status of the so-called 
issue has 
been set to "done". This issue has not been moderated by will.chronic so, DON'T 
consider this as official news from the DevTeam.

Original comment by dhruvja...@gmail.com on 31 Dec 2008 at 9:19

[GoogleCodeExporter]

so there is no longer a problem finding an exploit and chronic is closer to the 
jailbreak?

Original comment by rocky...@gmail.com on 31 Dec 2008 at 9:28

[GoogleCodeExporter]

so the jailbreak is almost done because the last two things were finding an 
exploit

I'm i right???

Original comment by carlosfd...@hotmail.com on 31 Dec 2008 at 10:14

[GoogleCodeExporter]

"almost done"? lol, good luck finding an exploit :P
but i'm guessing once somebody finds an exploit, the jailbreak is near

Original comment by gimme.le...@gmail.com on 1 Jan 2009 at 12:55

[GoogleCodeExporter]

It could just be that the Dev team is tired of all our annoying comments in 
this 
issue. :/

Original comment by NobleRoo...@gmail.com on 1 Jan 2009 at 12:57

[GoogleCodeExporter]

and i dont think anyone from the chronic team has found an exploit, or else it 
would
have been announced

Original comment by gimme.le...@gmail.com on 1 Jan 2009 at 12:57

[GoogleCodeExporter]

I love to help you but I don't know how but why it's taking your time montes to 
hack it please if you are able 
hack it or help us to put the craked apps on it please thanks for help my email 
is farza69@gmail.com 

Original comment by Farza69@gmail.com on 1 Jan 2009 at 10:14

[GoogleCodeExporter]

could be rooster, lol, just dont rush them, i think they know what they are 
doing.

Original comment by gimme.le...@gmail.com on 1 Jan 2009 at 1:38

[GoogleCodeExporter]

ok if anyone on the chronic dev team is on help me or anyone who knows how.

i want to try nd help find the exploits wht do i have to do or need to help

Original comment by maplesto...@live.com on 1 Jan 2009 at 6:07

[GoogleCodeExporter]

I support this dev team 100%!!!

Original comment by coenisco...@gmail.com on 1 Jan 2009 at 7:56

[GoogleCodeExporter]

me to

Original comment by maplesto...@live.com on 1 Jan 2009 at 7:59

[GoogleCodeExporter]

Maybe accessing like root user... from booting

Original comment by rodri1...@gmail.com on 1 Jan 2009 at 8:10

[GoogleCodeExporter]

howd u do tht

Original comment by maplesto...@live.com on 1 Jan 2009 at 8:14

[GoogleCodeExporter]

I konow Chronic dev has a lot to do but i want to know wehn they were finish 
their
work ... I realy want to jailbreak this motherfuckin´ iPod touch 2g ... pls 
give me
an answer :`(

Original comment by TimoAd...@hotmail.de on 1 Jan 2009 at 8:29

[GoogleCodeExporter]

Chronic may never found an exploit. Be prepared of that. The jailbreak is still 
far
away as I understand when I am reading this wiki.

Original comment by cyril.ca...@gmail.com on 1 Jan 2009 at 8:42

[GoogleCodeExporter]

well, if you guys want to help, then go find some security holes in the 2g :P

Original comment by gimme.le...@gmail.com on 1 Jan 2009 at 10:47

[GoogleCodeExporter]

 lol =)

Original comment by coenisco...@gmail.com on 1 Jan 2009 at 10:49