Copyright secretmrx 2009 1 Document version 2.

iPhone is a registered trademark of Apple Inc. 1 Copyright secretmrx 2009

 Copyright secretmrx 2009 2 Document version 2.0

Section 1 Vocabulary 4
Simple Vocabulary 4
Jailbreak 4
Activate 4
Unlock 4
Advanced Vocabulary 4
Accelerometer 4
Bootloader 4
Brick 4
BSD Subsystem 4
DFU Mode 4
3G/EDGE 4
GPS 4
GSM 6
iBoot 6
IMEI 6
iPhone Dev Team 6
Pwning, PwnageTool, QuickPwn, WinPwn 6
Ramdisk 6/7
Recovery Mode 7
Seczone 7
SIM 7
SSH 7
UMTS 7
Section 2 Practical Work 8
A Brief History of iPhone Hacking 8
PwnageTool Mac 8
PwnageTool Usage 8/9
QuickPwn Windows + Mac 9
QuickPwn Usage 9
Section 3 Useful Information

iPhone is a registered trademark of Apple Inc. 2 Copyright secretmrx 2009

 Copyright secretmrx 2009 3 Document version 2.0

How To...
Enter/Exit DFU Mode 10
Enter/Exit Recovery Mode 10
Use SSH 10
Change Your APN 10/11
Update Your Carrier Bundle 11
How to Downgrade iPhone OS 11
Useful Links 11
Conclusion 13
License 13

iPhone is a registered trademark of Apple Inc. 3 Copyright secretmrx 2009

 Copyright secretmrx 2009 4 Document version 2.0

Section 1 Vocabulary
You may have seen many of these words before - on websites, in emails you have received, or in
other iPhone guides. The aim of this section is to clear up any confusion you may have, leaving
you a competent iPhone hacker. It is important that you thoroughly understand the Simple
Vocabulary before reading further into this guide, as these are the words that you will come across
the most.

Simple Vocabulary
Jailbreak
To read and write to the operating system partition on the iPhone, you must Jailbreak it.
Confused? Not to worry.
Partitioning is achieved when the operating system treats one physical piece of memory as
smaller, separate units. Say you ordered a pizza, and it arrived in a nice box. The box and whole
piece of pizza within is the hard drive that you can store files on. Hang on, if you open up the
box and split the pizza inside into two, you can effectively make two hard drives! This is how
partitioning works. The computer would open the box, see the halved piece of pizza and think it
is two drives, when it is actually one that is pretending to be two.
Your iPhone operates in this way. It uses two partitions - the media partition and the operating
system partition. The media partition is where all your iTunes data is stored - music, movies,
contacts, App Store apps etc. This partition is usually the size of your iPhone’s memory capacity,
minus 500-600MB for the OS partition. Because of the way that Apple have set up the iPhone
OS, we can not do any hacking in this easily accessible partition. To hack the device, we must
get into the OS partition.
The OS partition, the space on the iPhone that Apple has locked us out of, is where the jailbreak
lies. This is where the iPhone’s operating system is stored - iPhone OS. Once we have access to
this partition, we can do a number of things, such as:

• Run unofficial (non-App Store) applications

• Execute scripts and commands
• Tweak the visual aspects of iPhone OS

Jailbreaking brings this functionality - and more - to your device.

Activate/Hacktivate
To activate your device means to allow access to the SpringBoard, by telling your phone that
you are a using an iPhone-supported carrier.
After purchasing your device or doing an iTunes restore, you may notice that you can not do
anything except place emergency calls. You are locked out of your home screen, the ‘slide to
unlock’ text changed to read ‘slide for emergency’. This is because your iPhone wants to be
connected to iTunes, so iTunes can make sure you are using it with a supported carrier (AT&T in
the US, Vodafone in New Zealand). However, if you wish to use your device on an unsupported
network, or simply as an iPhone without the phone features, you must trick your device into
thinking it is legitimately activated through iTunes. This is sometimes referred to as
‘hacktivation’. Note that jailbreaking is a prerequisite of hacktivation.
Unlock

iPhone is a registered trademark of Apple Inc. 4 Copyright secretmrx 2009

 Copyright secretmrx 2009 5 Document version 2.0

Unlocking your device means to open up the iPhone’s modem to accept SIM cards from
unofficial carriers. In the US, for example, an iPhone will not connect to any carrier other than
AT&T, unless it is unlocked.
Just as iPhone OS controls the applications that you interact with whenever you use your
phone, the baseband processor controls the modem. The baseband processor has its own,
separate firmware from the main OS, called the baseband firmware. During most iPhone
software updates, Apple update the baseband firmware on the device. The unlock lies in the
baseband firmware, by patching out certain bytes, you can bypass the SIM check. For some
devices, updated basebands can mean the inability to software unlock your phone. Thankfully,
PwnageTool from the iPhone Dev Team can disable the baseband update in iPhone software
updates, allowing certain devices to remain unlocked and still enjoy the latest version of iPhone
software. We will not cover unlocking in great detail, as this guide is intended for beginners and
it is a very technical subject.
Jailbreaking and activating/hacktivating are prerequisites of unlocking.

Advanced Vocabulary

The following words are not crucial to know, however the more you know the better.

Accelerometer
The accelerometer detects the orientation of your iPhone. Applications can be built to take
advantage of this, such as Safari does when you turn your iPhone onto it’s side. Some games
use the accelerometer as a method of controlling the character, such as Super Monkey Ball
from the App Store.
Baseband
The baseband in the iPhone manages all functions which require an antenna. It is separate
from the OS and is it’s own processor, with it’s own firmware. It’s firmware is called the
baseband firmware.
Bootloader
A bootloader is some code that is executed when the device is powered on. Two bootloaders
you may have heard of are the baseband bootloader and iBoot. Bootloaders perform integrity
checks on data and prevent unsigned, non-apple code from being loaded. They essentially
police the iPhone OS, making sure everything is the way Apple want it to be. PwnageTool,
WinPwn and QuickPwn patch out integrity checks from the bootloaders (LLB, iBoot) and the
kernel, allowing unsigned code to be executed.
Brick
To brick a device means to render it permanently unusable, usually through software
modifications. A common misconception is that jailbreaking a device could brick it if
something went wrong, this is not true. Thanks to DFU mode and iTunes’ restore system, a
device that didn’t jailbreak correctly can easily recover.
BSD Subsystem
As iPhone OS is a special version of OS X, it has BSD underpinnings. BSD Subsystem is a set of
tools and commands that some applications require to run properly. These can be run
through a command prompt, too. Apple does not ship iPhone OS with many commands, so
many have been ported from OS X to iPhone OS.

iPhone is a registered trademark of Apple Inc. 5 Copyright secretmrx 2009

 Copyright secretmrx 2009 6 Document version 2.0

DFU Mode
DFU Mode is a special mode where the device can still interface with iTunes, yet it does not
load iPhone OS or iBoot. The screen will appear off lifeless when in DFU mode, making it
impossible to tell whether the device is in DFU or powered down from simply looking at the
screen. PwnageTool exploits a vulnerability in DFU to flash custom firmware to the device,
and as iBoot and the OS are not loaded, downgrading firmware versions is possible.
3G/EDGE
EDGE and 3G are two mobile data technologies that enable you to get internet virtually
anywhere on your iPhone. The original iPhone supported EDGE/GPRS, a slower form of
internet access, while the iPhone 3G supports the fast 3G standard.
GPS
GPS, or Global Positioning System, is a method of locating your iPhone 3G using satellite
triangulation. This allows you to get directions through the Maps application, as well as
geotag photos. Photos that are have geotags can have their location looked up in mapping
software, such as Google Earth.
GSM
GSM, or ‘Global System (or Standard) for Mobile communications,’ is the most popular mobile
phone standard in the world. Unlike CDMA, GSM phones take advantage of SIM cards. SIM
cards contain certain data, such as the phone number of that SIM, the ICCID etc. Both iPhone
and iPhone 3G support GSM.
iBoot
iBoot is the bootloader for the application processor on iPhone OS devices. iBoot is
responsible for recovery mode. During a restore, iBoot makes sure that you are flashing a
firmware version greater than or equal to a current one. If you are not, iBoot will not allow the
restore to proceed. Because of this, firmware downgrading must be done in DFU mode. iBoot
has an interactive interface, allowing communication via USB or serial.
IMEI
An International Mobile Equipment Identity number is a static number which identifies your
device. All mobile phones have an IMEI, and no two are the same. It is similar to a MAC
address - it is a unique identifier.
iPhone Dev Team
The iPhone Dev Team are a group of hackers who extend the iPhone’s capabilities past what
Apple offer. They are known for their law-abiding manner, they never distribute copyrighted
code.
Pwning, PwnageTool, QuickPwn, WinPwn
These programs are used to patch out checks from the bootloaders and kernel of the iPhone.
The exploit they use is at DFU level. PwnageTool and WinPwn both create custom restore
files, while QuickPwn hacks the device on the firmware that it is currently running on.
Ramdisk

iPhone is a registered trademark of Apple Inc. 6 Copyright secretmrx 2009

 Copyright secretmrx 2009 7 Document version 2.0

A ramdisk is a special type of virtual hard disk that uses RAM. QuickPwn uses this to boot the
custom payload that jailbreaks the device. Apple uses a ramdisk to start the restore
procedure, when the device is in recovery mode. This is because you can not restore the OS
when it is loaded on the phone, it must be done in an external environment.
Recovery Mode
Recovery Mode is a state of iBoot that is used during standard upgrades and restores. As
iBoot is active, it does not allow you to downgrade your device’s software. Also, unless it is
‘pwned,’ it will not allow custom firmware to be flashed.
Seczone
The seczone contains data about the lock state of your iPhone, as well as your RSA token. An
official unlock would require that the user enters an unlock code, which is then checked
against data in the seczone. The lock table specifies how many unsuccessful attempts at
officially unlocking the phone the user has made, as well as what provider you are locked to.
If you exceed 3 unsuccessful unlock attempts, the baseband will go into brick mode.
SIM
A Subscriber Identity Module is a small chip provided to you by your carrier that contains your
specific and unique data. It holds your phone number, IMEI and more. The SIM card is what
identifies your phone to the cellular network, and is used by GSM and UMTS phones.
SSH
Secure Shell is a method of securely exchanging data between two devices. It is a method of
file transfer between iPhone and a computer (providing that the iPhone is jailbroken and
OpenSSH is installed). The default login credentials are username: root, password: alpine.
UMTS
UMTS is the successor to GSM. It is a 3G, W-CDMA based network, that can also be expanded
to 4G. This is the technology that iPhone 3G uses.

iPhone is a registered trademark of Apple Inc. 7 Copyright secretmrx 2009

 Copyright secretmrx 2009 8 Document version 2.0

Section 2 Practical Work

What’s in this section?
In this section you will learn about the different methods you can use to hack your device. We will
start off with a brief history of iPhone hacking, and then proceed to familiarize you with the tools
you will be using.

A Brief History of iPhone Hacking

Over time things change, and the iPhone is no exception. Back in the 1.0.x days, unlocking was an
ugly process, and jailbreaking a manual one. PwnageTool was not available then, it was all done
through Terminal/Command Prompt environments.

When 1.1.1 was introduced, the iPhone Dev Team (considerably smaller than their current size),
released a manual jailbreak. This was challenging and not for the average user.
Later on, an exploit was discovered in MobileSafari which allowed code to be executed - all while
Safari thought it was opening a .TIFF image. This was a true one-click jailbreak/activate solution,
and a computer was not required at any stage during the process. This method from
jailbreakme.com placed the hugely popular Installer.app - the unofficial package management
application - on the device.

Times have changed. Over time Apple have patched a lot of bugs and holes, yet significant
exploits have been discovered. One of those significant exploits is the Pwnage exploit - allowing
an unchangeable and incredibly user friendly means of hacking your device, thanks to the iPhone
Dev Team’s great GUI applications. Along with the Pwnage exploit came BootNeuter, the ultimate
unlocking tool for first generation iPhones. BootNeuter permitted custom baseband firmware to
be flashed to the phone, creating a forever-unlockable phone.

PwnageTool Mac
PwnageTool can activate, jailbreak, unlock and allow for third party applications on your device.
Unlike QuickPwn, it does this through a custom restore bundle, or .ipsw. You can then restore
to this bundle in iTunes, and on completion have a device tailored to your needs.
If you have never ‘pwned’ your phone, PwnageTool will all a special Device Support file which,
when in DFU mode, allows a custom restore to be flashed. Once this has been done once, you
can continue to restore to custom firmware without ‘pwning’ again. This whole process is
completely reversible, just restore to a stock Apple firmware file and everything is back to
normal.
PwnageTool Usage

iPhone is a registered trademark of Apple Inc. 8 Copyright secretmrx 2009

 Copyright secretmrx 2009 9 Document version 2.0

1. Download and open PwnageTool. PwnageTool can be found at blog.iphone-dev.org.

2. Connect your device..
3. Choose either iPhone, iPhone 3G or iPod touch on PwnageTool’s main screen.
4. You will be asked what you wish to do. Choose from the list, then press next.
5. If you selected iPhone, you may be asked for bootloader files. A simple google search for
‘iPhone bootloaders’ should find them for you (note they may download in a .zip.
Decompress the .zip, you should find two files, 3.9 and 4.6).
6. At the end of the process, you will be asked if your device is pwned. If you are unsure, or
don’t even know what that means, press yes. It does not hurt if you press yes, but you may
get some iTunes errors if you press no.
7. Open iTunes with your device connected. It may be in DFU mode from PwnageTool. If it is,
leave it in there.
8. Click on the iPhone tab in iTunes
9. You should see a button that reads ‘Restore’. Hold down shift on Windows or Option on a
Mac and click restore. A file browsing window should appear.
10. Choose your custom restore file.
11. The restore will begin, and your device will wake up customized.

QuickPwn Windows + Mac

Note: both programs are called QuickPwn on each OS, yet you must download the copy that
suits your platform.

QuickPwn works on the same exploit that PwnageTool does, still breaking the chain of trust in
the bootrom, LLB and iBoot. Like PwnageTool, it ‘pwns’ your device, but through a different
system.
Unlike PwnageTool, QuickPwn can do all this without you needing to restore. It uses a ramdisk
and the DFU exploit to make the modifications to your device. For some people, this is by far
the best method, as restoring requires you to sync all your data back.
QuickPwn Usage
1. Download and open QuickPwn. You can get it from blog.iphone-dev.org.
2. Connect your device.
3. Open QuickPwn.
4. Choose what you wish to do from the options.
5. IIf you selected iPhone, you may be asked for bootloader files. A simple google search for
‘iPhone bootloaders’ should find them for you (note they may download in a .zip.
Decompress the .zip, you should find two files, 3.9 and 4.6).
6. Your iPhone screen will show a progress bar. Wait until it has completed.

iPhone is a registered trademark of Apple Inc. 9 Copyright secretmrx 2009

 Copyright secretmrx 2009 10 Document version 2.0

Section 3 Useful Information

How To...

Enter/Exit DFU Mode

Note: When in DFU mode, the screen will appear to be turned off. Because of this,
the only way to tell if you are in DFU mode is to be connected to iTunes. It is
recommended that you read through these steps thoroughly before continuing.

To enter:

1. Connect your device to iTunes.

2. Hold down the home + power buttons for 10 seconds.
3. After 10 seconds, release the power button but keep holding home.
4. After a few seconds (10 or so), iTunes will detect your device in DFU mode.

To exit:

1. With your device in DFU mode, hold the home + power buttons until the
device shows the Apple logo. This may take 30-60 seconds.
2. When the device shows the Apple logo, release the buttons.

Enter/Exit Recovery Mode

To enter:

1. Disconnect the device from the computer and open iTunes.

2. Turn off the device.
3. While turned off, hold down the home button and connect to iTunes.
4. Keep holding the home button as it boots.
5. If you are in recovery mode, you will see a ‘Connect to iTunes’ graphic on your
screen.

To exit:

1. While in Recovery Mode, hold down the home + power buttons for 10 seconds.
2. After 1o seconds, release the home button but continue to hold the power
button.
3. Keep holding the power button until the Apple logo appears.

Use SSH
1. Download WinSCP (Windows) or Cyberduck (Mac).
2. Download OpenSSH from Cydia/Installer on your device.
3. Open up the SSH application on your computer.
4. Enter your device’s IP address (found in Settings -> Wifi -> Tap blue arrow by your network)
in the Host name box.
5. Enter the username root and password alpine.
6. Connect. Your first login may take a while, this could be many minutes. If you get any
popups about the host not responding, ignore them.
Change Your APN

iPhone is a registered trademark of Apple Inc. 10 Copyright secretmrx 2009

 Copyright secretmrx 2009 11 Document version 2.0

If you can not change your APN in ‘Settings -> General -> Network,’ follow these steps -

1. Open Safari on your device.

2. Navigate to unlockit.co.nz.
3. Click on ‘Continue’.
4. Click ‘Custom APN’.
5. Enter your APN and credentials.
6. Click ‘Create Custom Profile’.
7. Install the configuration profile.
Update Your Carrier Bundle
1. Download/locate the .ipcc file you wish to flash to your phone.
2. With your device plugged into iTunes, hold down shift (Windows) or option (Mac) and press
‘Update’.
3. In the window that appears, locate the .ipcc file and select it.
Downgrade iPhone OS
1. Download your destination OS. Google search it, eg. ‘iPhone 2.2 download’.
2. Enter DFU mode.
3. When the device is detected by iTunes in DFU mode, hold Shift on Windows or Option on a
Mac and press ‘Restore’.
4. When the restore is complete, iTunes may give you an error, stating that the device may not
have restored properly. This is completely normal, it is because your baseband was not
downgraded. To leave recovery mode, simply hold home + power until the device turns off
and reboots (about 20 seconds of holding the buttons).

Useful Links
hackint0sh.org
Hackint0sh is one of the best Apple hacking and modding
forums. It has a large, helpful and growing user base, and is a
great place to go to get some help. Hackint0sh is the home of
the iPhone Dev Team.
blog.iphone-dev.org
This is the official blog of the iPhone Dev Team. New hacks and tools are announced
here, as well as offering download links to their current software.

digg.com/apple
Digg is a great place to find out about Apple rumors, news, tips and events. It’s large
user base weeds out the bad articles, and promotes the great ones.

apple.com/iphone/
Apple’s own website is one of the best for iPhone resources and information. It
showcases top applications from their App Store, and contains tips and tricks you may
not have known.

iPhone is a registered trademark of Apple Inc. 11 Copyright secretmrx 2009

 Copyright secretmrx 2009 12 Document version 2.0

modmyi.com
Once an iPhone only forum, modmyi has grown to become one
of the largest Apple forums around. They host Cydia and
Installer repositories, and their users are always happy to help.

theiphonewiki.com
The iPhone Wiki is an incredibly useful resource. It is a user
editable wiki, based on the same CMS as Wikipedia. After
reading iSeminar, you should be able to understand most of the
things in The iPhone Wiki.

iPhone is a registered trademark of Apple Inc. 12 Copyright secretmrx 2009

 Copyright secretmrx 2009 13 Document version 2.0

Conclusion
Hopefully after reading iSeminar you have a much better understanding of the iPhone OS, how it
works, and how we hack it.

I would like to thank the iPhone Dev Team for their tireless work on the iPhone. They devote their
spare time to offer us applications, hacks and tools - all without accepting donations.

License
Please feel free to distribute iSeminar, but do not take credit for it. Please credit it back to me
(secretmrx).
You may not sell this guide. It is copyrighted work.

secretmrx
11/04/09

iPhone is a registered trademark of Apple Inc. 13 Copyright secretmrx 2009