These are a just a set of binaries that we have put up to make things easy for folks.

Nothing more,  Nothing less.

None of this stuff will EVER help you unlock your iPhone

But they may make your iPhone a bit more fun.
--





Qemu no goes...

# ../qemu-system-arm -d out_asm  -kernel ./zImage.integrator -initrd 
./arm_root.img -nographic -append "console=ttyAMA0"

zsh: illegal hardware instruction  ../qemu-system-arm -d out_asm 
-kernel ./zImage.integrator -initrd  -nographic

# cat /tmp/qemu.log                                                                                                     
OUT: [size=194]
0x002801c0:  000000a0  andeq    r0, r0, r0, lsr #1
0x002801c4:  2d40a000  stccsl   0, cr10, [r0]
0x002801c8:  000013a0  andeq    r1, r0, r0, lsr #7
0x002801cc:  2d40a000  stccsl   0, cr10, [r0]
0x002801d0:  000100a0  andeq    r0, r1, r0, lsr #1
0x002801d4:  2d409000  stccsl   0, cr9, [r0]
0x002801d8:  409040b0  ldrmih   r4, [r0], r0
0x002801dc:  0014a02d  andeqs   r10, r4, sp, lsr #32
0x002801e0:  40b00000  adcmis   r0, r0, r0
0x002801e4:  7008e92d  andvc    lr, r8, sp, lsr #18
0x002801e8:  3007e28d  andcc    lr, r7, sp, lsl #5
0x002801ec:  2525e1a0  strcs    lr, [r5, -#416]!
0x002801f0:  2072e1a0  rsbcss   lr, r2, r0, lsr #3
0x002801f4:  3202e6ef  andcc    lr, r2, #250609664      ; 0xef00000
0x002801f8:  3270e083  rsbccs   lr, r0, #131    ; 0x83
0x002801fc:  1fffe593  swine    0x00ffe593
0x00280200:  0001e3c5  andeq    lr, r1, r5, asr #7
0x00280204:  0004e153  andeq    lr, r4, r3, asr r1
0x00280208:  95000a00  strls    r0, [r0, -#2560]
0x0028020c:  00ffde57  rsceqs   sp, pc, r7, asr lr
0x00280210:  a126e1a0  teqge    r6, r0, lsr #3
0x00280214:  4000ebff  strmid   lr, [r0], -pc
0x00280218:  80b0e1a0  adchis   lr, r0, r0, lsr #3
0x0028021c:  3007e8bd  strcch   lr, [r7], -sp
0x00280220:  9002e1a0  andls    lr, r2, r0, lsr #3
0x00280224:  18a02d40  stmneia  r0!, {r6, r8, r10, r11, sp}
0x00280228:  b0000000  andlt    r0, r0, r0
0x0028022c:  08e92d40  stmeqia  r9!, {r6, r8, r10, r11, sp}^
0x00280230:  07e28d70  undefined
0x00280234:  25e1a030  strcsb   r10, [r1, #48]!
0x00280238:  72e1a025  rscvc    r10, r1, #37    ; 0x25
0x0028023c:  02e6ef20  rsceq    lr, r6, #128    ; 0x80
0x00280240:  70e08332  rscvc    r8, r0, r2, lsr r3
0x00280244:  ffe59332  swinv    0x00e59332
0x00280248:  01e3c51f  mvneq    r12, pc, lsl r5
0x0028024c:  04e15300  streqbt  r5, [r1], #768
0x00280250:  000a0000  andeq    r0, r10, r0
0x00280254:  ffde574c  swinv    0x00de574c
0x00280258:  26e1a000  strcsbt  r10, [r1], r0
0x0028025c:  00ebffa1  rsceq    pc, r11, r1, lsr #31
0x00280260:  b0e1a040  rsclt    r10, r1, r0, asr #32
0x00280264:  07e8bd80  streqb   r11, [r8, r0, lsl #27]!
0x00280268:  02e1a030  rsceq    r10, r1, #48    ; 0x30
0x0028026c:  e92d4090  stmdb    sp!, {r4, r7, lr}
0x00280270:  e28d7004  add      r7, sp, #4      ; 0x4
0x00280274:  e1a03007  mov      r3, r7
0x00280278:  e3c42001  bic      r2, r4, #1      ; 0x1
0x0028027c:  9083203c  addls    r2, r3, r12, lsr r0
0x00280280:  0000c340  Address 0x280280 is out of bounds.


Java no goes...

# /opt/iphone/java/bin/sablevm -v --property=sablevm.heap.size.min=1024 --property=sablevm.heap.size.increment=1024 ./myfirstjavaprog.class

SableVM version 1.13
Copyright (C) 2000-2004 Etienne M. Gagnon  and
others.  All rights reserved.

This software comes with ABSOLUTELY NO WARRANTY.  This is free
software, and you are welcome to redistribute it under certain
conditions.

To get the name of all copyright holders and detailed license
information, type "sablevm --license" or look in the directory
"/opt/iphone/java/share/sablevm".

The SableVM web site is located at http://www.sablevm.org/ .

[verbose jni: JNI_CreateJavaVM]
[verbose gc: allocating initial heap (1024 bytes)]
[verbose class: loading "java/lang/Object"]
[verbose class: loading "java/io/Serializable"]
[verbose class: loading "java/lang/Cloneable"]
[verbose class: creating "[B"]
[verbose class: loading "java/lang/VMClass"]
sablevm: cannot create vm


iz making devs inside ur iphone... (apologies to lolcats)

# pwd
/var/root/Media/dev

# ls
MAKEDEV

# zsh MAKEDEV 

# ls -ltra
total 4
-rwxr-xr-x 1 root wheel   666 Oct  9 23:47 MAKEDEV
drwxr-x--- 5 root wheel   204 Oct  9 23:48 ..
crw-rw-rw- 1 root wheel  3, 3 Oct  9 23:48 zero 
brw------- 1 root wheel  1, 1 Oct  9 23:48 vn1
brw------- 1 root wheel  1, 0 Oct  9 23:48 vn0 
crw-rw-rw- 1 root wheel  8, 1 Oct  9 23:48 urandom
crw-rw-rw- 1 root wheel 10, 2 Oct  9 23:48 uart.iap
crw-rw-rw- 1 root wheel 10, 3 Oct  9 23:48 uart.debug
crw-rw-rw- 1 root wheel 10, 1 Oct  9 23:48 uart.bluetooth
crw-rw-rw- 1 root wheel 10, 0 Oct  9 23:48 uart.baseband
crw-rw-rw- 1 root wheel  4, 7 Oct  9 23:48 ttyp7
crw-rw-rw- 1 root wheel  4, 6 Oct  9 23:48 ttyp6
crw-rw-rw- 1 root wheel  4, 5 Oct  9 23:48 ttyp5
crw-rw-rw- 1 root wheel  4, 4 Oct  9 23:48 ttyp4
crw-rw-rw- 1 root wheel  4, 3 Oct  9 23:48 ttyp3
crw-rw-rw- 1 root wheel  4, 2 Oct  9 23:48 ttyp2
crw-rw-rw- 1 root wheel  4, 1 Oct  9 23:48 ttyp1  
crw-rw-rw- 1 root wheel  1, 4 Oct  9 23:48 ttyp.iap
crw-rw-rw- 1 root wheel  1, 6 Oct  9 23:48 ttyp.debug
crw-rw-rw- 1 root wheel  1, 2 Oct  9 23:48 ttyp.bluetooth
crw-rw-rw- 1 root wheel  1, 0 Oct  9 23:48 ttyp.baseband
crw-rw-rw- 1 root wheel  2, 0 Oct  9 23:48 tty
brw---x--- 1 root wheel 14, 2 Oct  9 23:48 disk0s2
brw---x--- 1 root wheel 14, 1 Oct  9 23:48 disk0s1
drwxr-xr-x 2 root wheel   918 Oct  9 23:48 .
brw---x--- 1 root wheel 14, 0 Oct  9 23:48 disk0
crw-rw-rw- 1 root wheel  0, 0 Oct  9 23:48 console


Mounting the iphuc'd image on linux

Still can't belive that this worked, taking the all file from the iphuc 
session below, and copying to a linux box:

root@harold:~# uname -a
Linux harold 2.6.20-16-386 #2 Fri Aug 31 00:51:58 UTC 2007 i686 GNU/Linux

then:

root@harold:~# mkdir zz

root@harold:~# mount -o loop -t hfsplus all zz

root@harold:~# ls zz
Applications  cores  etc      mach         opt      sbin    tmp  var
bin           dev    Library  mach_kernel  private  System  usr

root@harold:~# file zz/usr/sbin/BlueTool 
zz/usr/sbin/BlueTool: Mach-O executable acorn

Too funny!

iphuc get and put back tests

imac /tmp/ ./iphuc/iphuc 
iphuc 0.6.1 with tab completion.
>> By The iPhoneDev Team: nightwatch geohot ixtli warren nall mjc operator
CFRunLoop: Waiting for iPhone.
notification: iPhone attached.
AMDeviceStartService 'com.apple.afc': 0
(iPHUC) /: setafc com.apple.afc2
(iPHUC) /: ls
.
..
Applications
Library
System
bin
cores
dev
[snip]

(iPHUC) /: cd /dev
(iPHUC) /dev: lcd /tmp
(iPHUC) /dev: getfile rdisk0s1


then back on the imac:

imac /dev/ touch all
imac /dev/ cat rdisk0s1.* >> all
imac /dev/ diff ../102root.dd all 
imac /dev/ 

ok so we can cleanly iphuc a copy of the root file system...


More dd experiments...  this was on a live phone, we can copy the root FS and put it back over ssh!

First let us get a copy of the root file system run this from the phone:

iPhone# dd if=/dev/rdisk0s1 bs=1M | ssh -c arcfour root@imac dd of=/tmp/102root.dd

OK now let us put it back:

imac /tmp/ dd if=102root.dd | ssh root@iphone dd of=/dev/rdisk0s1 bs=1M
root@iphone's password:     
614400+0 records in
614400+0 records out
314572800 bytes transferred in 415.893649 secs (756378 bytes/sec)
0+38400 records in
0+38400 records out
314572800 bytes (315 MB) copied, 411.517 s, 252 kB/s

time to reboot... 

imac /obj3/ ssh root@iphone

iPhone# uname -a
Darwin iPhone 9.0.0d1 Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007; 
root:xnu-933.0.1.178.obj~1/RELEASE_ARM_S5L8900XRB iPhone1,1 Darwin

WOOT!  we can dd the root partition off the phone via ssh and put it back!



dd raw image continued

This time on OSX:

imac //tmp/ fdisk /tmp/iphone.dd
Disk: /tmp/iphone.dd    geometry: -1864135/4/63 [-469762048 sectors]
Signature: 0xAA55
         Starting       Ending
 #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
------------------------------------------------------------------------
 1: AF    0   1   1 - 1023 254  63 [        63 -     153600] HFS+        
 2: AF 1023 254  63 - 1023 254  63 [    153720 -    3811185] HFS+        

imac //tmp/ fdisk -d /tmp/iphone.dd
63,153600,0xAF,-,0,1,1,1023,254,63
153720,3811185,0xAF,-,1023,254,63,1023,254,63



dd raw image - is it viable?

First pull the whole disk image from the iphone:

#  dd if=/dev/disk0 bs=8092k | ssh -c arcfour root@imac dd of=/tmp/iphone.dd

979+1 records in
979+1 records out
8120172544 bytes (8.1 GB) copied, 7931.97 s, 0.0 MB/s
15859712+0 records in
15859712+0 records out
8120172544 bytes transferred in 7926.409517 secs (1024445 bytes/sec)

Seems to think that it is an x86 boot sector, we know this is wrong:

root@harold:~# file /tmp/iphone.dd 
/tmp/iphone.dd: x86 boot sector; partition 1: ID=0xaf, starthead 1, 
startsector 63, 153600 sectors; partition 2: ID=0xaf, starthead 254, 
startsector 153720, 3811185 sectors


Can we read it? 

root@harold:~/parted-1.8.8# modprobe hfsplus
root@harold:~/parted-1.8.8# ./parted/parted /tmp/iphone.dd print
Model:  (file)
Disk /tmp/iphone.dd: 8120MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End     Size    Type     File system  Flags
 1      32.3kB  78.7MB  78.6MB  primary                    
 2      78.7MB  2030MB  1951MB  primary                    


interesting... thinks it is msdos...

Now let's try:

root@harold:~# sfdisk -l -uS /tmp/iphone.dd 
Disk /tmp/iphone.dd: 0 cylinders, 0 heads, 0 sectors/track
Warning: The partition table looks like it was made

   Device Boot    Start       End   #sectors  Id  System
/tmp/iphone.dd1            63    153662     153600  af  Unknown
/tmp/iphone.dd2        153720   3964904    3811185  af  Unknown
/tmp/iphone.dd3             0         -          0   0  Empty
/tmp/iphone.dd4             0         -          0   0  Empty

and both of these failed:

root@harold:~# mount -oloop,offset=32256 -t hfs /tmp/iphone.dd ./tt

root@harold:~# mount -oloop,offset=78704640 -t hfs /tmp/iphone.dd ./tt

this also failed:

root@harold:~# acorn-fdisk /tmp/iphone.dd 

Device /tmp/iphone.dd is partitioned using PC/BIOS scheme

Command (m for help): p

Disk /tmp/iphone.dd: 16 heads, 63 sectors, 1024 cylinders
Units = cylinders of 1008 * 512 bytes

         Device Boot   Begin    Start      End   Blocks     Id   System
/tmp/iphone.dd1            1        1      153      76800     af  Unknown type 175
/tmp/iphone.dd2         1039      153     3934    1905592+    af  Unknown type 175



Console boot

# nvram -p   
backlight-level 28
bootdelay       0
filesize        14474
auto-boot       true
boot-args

# nvram boot-args=-v


# nvram -p          
backlight-level 28
bootdelay       0
filesize        14474
auto-boot       true
boot-args       -v

On boot you see the classic verbose boot mode with the dmesg stuff scrolling
up the screen

ip aliases seem to work

16:29 < WeirdM> Will the iPhone allow you to assign multiple addresses to the WIFI interface?
16:29 < pumpkin> multiple ip addresses, or mac addresses? :P
16:29 < WeirdM> What about another application that run and binds to another IP address and acts as as a NAT router.

16:30 < core> hrrm interesting
16:31 < core> yes
16:31 < core> # /sbin/ifconfig en0 alias 10.1.1.10 netmask 255.255.255.255
16:31 < core> # ping -c1 10.1.1.10
16:31 < core> PING 10.1.1.10 (10.1.1.10): 56 data bytes
16:31 < core> 64 bytes from 10.1.1.10: icmp_seq=0 ttl=64 time=0.263 ms

syslog

20:00 < core> so to get syslog running you need /etc/syslogd.conf from your mac
20:01 < core> then break the syslog in /System/Library/LaunchDaemons/apple.com.syslogd by putting in bad values
20:01 < core> then restart the phone and run
20:01 < core> /usr/sbin/syslogd -bsd_out 1
20:02 < core> you will have the results of your efforts

Results of syslog - thanks to Mark_C for helping me with the debug

And it works perfectly with splunk!

# date
Sat Aug 25 01:23:13 EDT 2007


# ps aux | grep syslog
root   968   0.0  0.0   273028    408  p1  S+    1:24AM   0:00.01 grep syslog

# /usr/sbin/syslogd -bsd_out 1 
^Z
Suspended
# bg
[1]    /usr/sbin/syslogd -bsd_out 1 &

# tail -1 /var/log/system.log
Aug 25 01:24:50 localhost kernel[0]: void AppleMRVL868x::configureWpaKey(const apple80211_key*): WPA TKIP


Cross compile for g* utils, e.g. glib, gtk, pango etc

this is all based on iphone gcc-llvm toolkit 2.0

setenv PKG_CONFIG_LIBDIR /usr/local/arm-apple-darwin/lib
setenv PKG_CONFIG_PATH /usr/local/arm-apple-darwin/lib/pkgconfig/

most of this was worked out to solve chat issues


Running binaries outside of /bin

The filesystem by default is noexec:

/dev/disk0s2 /private/var hfs rw,noexec 0 2

you can edit /etc/fstab to look like this:

/dev/disk0s2 /private/var hfs rw 0 2

and reboot...

-bash-3.2# /sbin/mount
/dev/disk0s1 on / (hfs, local, noatime)
devfs on /dev (devfs, local)
/dev/disk0s2 on /private/var (hfs, local, noatime)

then you can do neat tricks like this:

# cd /tmp
# echo "#\!/bin/sh" > test.sh
# echo "echo hello there from shebang\!" >> test.sh
# chmod +x test.sh
# ./test.sh
hello there from shebang!

( that one had me going for days, hope it is useful )



DISK SPEED TESTS 

WRITE:

# dd if=/dev/zero of=test.dat bs=1024k count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 24.6945 s, 0.2 MB/s


READ:

# dd if=test.dat of=/dev/null bs=1024k 
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 29.1124 s, 1.6 MB/s
‹ GTK+upIPHUC on 7.6 ›