Archive for March, 2009

The first steps (part 2)

March 30, 2009 2 comments

I had initially planned on talking about reverse engineering iPhone native apps in this post but have decided to write about something else instead. There is another way to gain access to the iPhone filesystem besides jailbreaking your phone. It turns out that there are dmg files on your system that iTunes downloads when installing new firmware that will allow you to access the file system. You can either find them on your computer or download one from theiphonewiki’s System page.  Next, you’ll have to decrypt the dmg file. Theiphonewiki has the keys to do it here and there is a tool called vfdecrypt which can decrypt dmg files. One note about vfdecrypt, I had to modify the source file line 357 to get it working in linux. In the call to getopt() replace any double colons (::) with a single colon. Then recompile (gcc -o vfdecrypt -lcrypto vfdecrypt.c).

The firmware images on your hard drive and the downloadable ones are ipsw files. Change the file extension to “zip” and unzip the archive. You will find several dmg files in there. The largest one (~200mb) is the one you want. Decrypt that dmg file with vfdecrypt. The output file should be a new dmg file. You will now need to extract that new dmg file. To do this I used HFSExplorer. Extract that somewhere and you now have access to the iPhone filesystem.

Categories: iPhone Tags: ,

The first steps (part 1)

March 28, 2009 Leave a comment

In order to begin iPhone hacking, it is necessary to unlock/jailbreak the phone. Thanks to the QuickPWN group, this is quite simple. Download their QuickPWN tool for your platform, run it and follow the on-screen instructions. Never unplug the iPhone during this process, however, or you risk turning your iPhone into an expensive paperweight/doorstop.

After you have jailbroken the phone, you need to install OpenSSH to gain access to the phone from your computer. This package is installed from the new “Cydia” icon and takes no brain power to do (just finger power). Once installed you can secure shell (SSH) into your phone. From your computer, SSH to the phone’s ip address (yes, it must be on your wifi network) with the username “root” and password “alpine.”

Now you are at the shell of your phone; pretty cool! Make sure you change the “root” and “mobile” user passwords (use passwd) so that others can shell into the phone too (other wise you will get pwned). Now you can start looking around the filesystem of the phone. Native applications and libraries are installed in /private/var/stash/ and your AppStore applications are in /User/Applications.

In part 2 we will look at some of the other interesting files and talk about reverse engineering native apps. Since AppStore apps are encrypted, we will save those for a later post.

Categories: iPhone Tags: ,