Slashdot Mirror
iPhone Root Password Hacked in Three Days
unPlugged-2.0 writes "An Australian developer blog writes that the iPhone root password has already been cracked. The story outlines the procedure but doesn't give the actual password. According to the story: 'The information came from an an official Apple iPhone restore image. The archive contains two .dmg disk images: a password encrypted system image and an unencrypted user image. By delving into the unencrypted image inquisitive hackers were able to discover that all iPhones ship with predefined passwords to the accounts 'mobile' and 'root', the last of which being the name of the privileged administration account on UNIX based systems.' Though interesting, it doesn't seem as though the password is good for anything. The article theorizes it may be left over from development work, or could have been included to create a 'false trail' for hackers."
This will get picked up by blogs, news sites - and, if we're lucky, given a good mangling by sloppy journalists in the mainstream press - as somehow meaning that any iPhone can be "broken into" by a malicious third party, and/or that all iPhones are now "insecure", and/or that iPhones - and all the personal data on them - are now, because of this, vulnerable to remote attack, when none of those things are true.
Also, from TFA and the summary:
"Having the passwords will not do anybody any good for the moment. The iPhone has no console or terminal access, so there is no way to log in as either account. In fact, nobody even seems certain that the accounts access the machine at all, some Internet commentators suggesting that the password file was left over from early development work, or was intentionally included to throw hackers off the scent."
These kind of idiotic replies to the blog post are telling:
Poetic Justice - 04/07/07
So much for Apple being the most secure OS in the world. Welcome to Microsoft's world, Jobs.
Wow, cracking a local password on a file that belongs to a device to which you have physical access?
Stop the presses!
Since iPhones don't have any kind of access that makes this "discovery" meaningful, I'm sure that people will just misunderstand the implications of this, and because of the iPhones popularity - and a lot of peoples' desire to tear it down or create any FUD they can to dissuade interested people from possibly buying an iPhone - I'm sure this and related stories will be big news.
Now we can make phone calls as root!
If Apple consider it important (ie: if there actually *is* a use for this, rather than just a false trail, or if they want to make people think that), all they need to do is update the values and/or system libraries in the next software update. They could even change the encryption *mechanism* to make it pretty-much un-brute-forceable if they wanted to. I doubt they need to do that though, just change it to a 31-character string with punctuation/digits etc.
Whereas this *is* news (hell, I'd submit it!), I think a lot of people criticising the iPhone at the moment still haven't made the leap from "this is a phone. It does X,Y,Z" to "this is a fully-fledged computer, masquerading as a phone" - with all that that implies.
Apple have said they intend to provide updates, changes, additions, etc. to the iPhone over time. They have a policy of supporting older computers with new OS releases, and I don't see why they wouldn't migrate this approach to their new market. It only *benefits* them if there are more used phones in circulation running OSX - even if it was a hand-me-down from the big-brother/sister who went and bought the new one...
If this truly is the "third leg" of Apple's business, someone will get yelled at internally, and the next update will fix it. End of story.
Simon.
Physicists get Hadrons!
The password for root is "alpine"
The "mobile" user accounts password is "dottie"
we read a story about a password to a user account on a phone and don't find that odd at all.
...or could have been included to create a 'false trail' for hackers."
Or it was created to generate topics on Slashdot when it's discovered...
Perhaps this would be somewhat alarming if there was a root
user enabled in OS X to begin with.
Non sequitur: Your facts are uncoordinated.
Al's just pining for the fjords! But it's positively Slashdotty to link to a 92.5 megabyte disk image on a front page article.
I know I'm just an AC - so this will get modded waaaaaay down, but:
This isn't the password for the running account - you'd have to boot the phone into single-user mode. The running passwords would be stored in Netinfo.
This is going to turn into a lot of FUD....
For the curious... The article links to a another page with the passwords here
Too lazy to look... root is "dottie" and the user mobile is "alpine".
--Aaron Greenberg
we read a story about a password to a user account on a phone and don't find that odd at all...
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Infiltrated dot Net
Apple ships their computers with root disabled by default. I'd be very surprised if the phone wasn't the same. That would be quite a blunder on apple's part. If its not enabled, the password does you no good anyhow. I of course would love to see some useful hacks for this device as I'm typing on it right now. I'm sure the iPhone is a true hackers dream device. Please bring me a terminal app!
Yeah? That'd be great, since I *love* Jim Nabors...
...to run a smear campaign against Apple? I'm sure this will get reported with all the fury of the iTMS metadata, which was blown up huge in media yet those I know who uses it merely shrugged. I'm sure we'll get all the "iPhones are root'ed" with all due reference to what the root account is on a Mac, yet only with a tiny mention that you can't actually do anything with it on the iPhone. Apple and Macs have always been harassed for being too expensive or underpowered or one-buttoned etc. but there's always been an ounce of truth in there, right now it seems like there's fake grassroot campaigns of FUD, FUD and FUD...
Live today, because you never know what tomorrow brings
Another shining example of how terrible the security with mac related products actually is.
I hope this thing isn't phoning home. Literally.
Do not try and end the FUD... that's impossible. Instead only try to realize the truth... There is no FUD.
The article left out the detail that the reason these passwords won't do you any good is that you only get 3 tries to enter them before your locked out. Goop lick.
--- What?
Shouldn't be hidden from me anyway, its MY phone, i bought it, its MINE.. If i want to do something stupid and brick it in the process, its my choice. ( as long as i don't go and cry to Apple for a free replacement )
---- Booth was a patriot ----
Holy cow! I cannot believe someone linked to the restore image archive and that it hasn't been pulled from the apple site yet! Aye carumba.
I'll just hang onto this file for a while until someone writes an emulator... then who knows if anything good or interesting could be done with it...?
Yes, probably this is the default phone password which the phone uses to "autologin" into itself on startup, and as such isn't useful for "hacking" into the phone remotely.
But you should consider: a) the phone doesn't support custom software b) thousands of geeks who bought the phone want to write apps for it.
Maybe knowing the root login is a tiny step in that direction, if you get what I mean. I have the feeling we'll be seeing AT&T disabling remotely phones that have been hacked with custom apps. Same as MS did with modded XBOX360.
Then I guess it is a multiuser system, then several people should be able to login, ah..., make phone call, on the same phone simultaneously. God, this is revolutionary! I have never seen a phone like this.
The article theorizes it may be left over from development work, or could have been included to create a 'false trail' for hackers.
Even better, I suspect this is the major reason Leopard was delayed. iPhone's software was completed all along: all those OSX developers were assigned to create numerous false trails for hackers, on the iPhone.
I'm wondering if perhaps Apple wants the phone cracked. AT&T doesn't control activation, Apple does. If the phone is cracked then people could buy an iPhone and if another carrier was willing, activate it with some other carrier than AT&T. There are lots of people out there who can't stand AT&T so it's not as if we're only talking about 2 or 3 hackers doing this.
Jobs could play the innocent claiming that hackers did it all the while happy that yet another iPhone went out the door.
There is no Dana, only Fuud!
Re: [Full-disclosure] iPhone Security Settings
From: Erik Tews (e_tewscdc.informatik.tu-darmstadt.de)
Date: Sun Jul 01 2007 - 17:20:37 CDT
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am Montag, den 02.07.2007, 00:07 +0200 schrieb Fabio Pietrosanti (naif):
> There are a couple of user with their password:
>
> root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh
> mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh
>
> Does someone have some time to arrange a quick john session (should be
> quick)?
Loaded 2 passwords with 2 different salts (Standard DES [64/64 BS])
alpine (mobile)
dottie (root)
guesses: 2 time: 0:00:00:16 (3) c/s: 551883 trying: royour - b1o2w8
Yes, it was quick
Apple have said they intend to provide updates, changes, additions, etc. to the iPhone over time. They have a policy of supporting older computers with new OS releases, and I don't see why they wouldn't migrate this approach to their new market.
Except they don't do it for iPods. Each new "generation" of the iPod has run a different firmware *and* had different capabilities, like being able to search. The older iPods never got the functionality of the newer ones, ever. Clickwheel iPods can't "search", nor do they get the newer iPod games, etc. This is just like digital camera manufacturers, home network gear makers, etc. Very, very, very rarely do they take advantage of the firmware updates to increase functionality in any way. Why should they, when they can make you but version N+1?
Most of the time they update the iPod firmware only to give it compatibility with the latest iTunes, and these days, the only updates to iTunes are security fixes and bloat (the glorified pedometer, Apple TV, the iPhone, etc. Anyone else remember when you could sync contacts and appointments onto your iPod through iSync?) My second-gen nano (or Mini, or whatever the hell it's called these days) still crashes 50% of the time when I go to play a podcast after syncing it with my mac. I'm not holding my breath waiting for them to fix it.
Please help metamoderate.
1) OSX runs fine without enabling root. indeed enabling root is discouraged. One has full access to root via sudo -s, so actually creating the root user is only a hazard and has no high value in OSX. Even if sudo gets borked you can still get in to root via booting in single user mode.
So I wonder why they enabled root? perhaps when connecting from another computer to run a command via ssh it's a lot fewer steps to type. (don't have to enter the password twice). So I but the idea this is left over from development.
2) However this does bring up some good questions. just how do they manage this phone? Does the local computer need to know the password to get into modify things. Does it mount as a hard disk with write privs to the attached comuter?
Some drink at the fountain of knowledge. Others just gargle.
Is that supposed to be a scheduling algorithm? If so, are we looking at Round Robin, Earliest Deadline First, Least Slack Time, or Fair Share scheduling?
Ben Hocking
Need a professional organizer?
If the iPhone OS handles root in the same manner as MacOS X, then the root user would have to be enabled somehow before anyone could use the account anyway. So, show me how to hack the password and enable the account, then write an article that is more than FUD.
http://www.apple.com/macosx/features/security/
http://developer.apple.com/internet/security/secur ityintro.html
l e.html?artnum=106439
e nt/exploit/Nessus_Apple_OSX_Server_Default_Vulnera bilities.html
http://docs.info.apple.com/artic
http://www.vnutz.com/cont
:)
Armaments, 2-9-21 And Saint Attila raised the hand grenade up on high, saying, 'O Lord, bless this Thy hand grenade' N
Is there any sort of law in the EU that prevents mobiles from being restricted to a single carrier? I simply don't see Apple switching to an open model "out of the kindness of their hearts" or some such as it's not nearly as profitable- and I imagine that AT&T would be mighty miffed when the Euro iPhones are imported to the US....and promptly activated with other carriers for their better service and lower price.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
only very slightly because I work for one. mostly because I wouldn't want to be tied to EDGE.
if this is supposed to be a new economy, how come they still want my old fashioned money?
So since the firmware restore image is out in the open, is it possible to emulate an ARM CPU in QEMU and boot the image? That would be interesting to find out.
Steve Jobs could collect organic waste from septic tanks, and there will be a stampede of these degenerates who'll not only buy it, but then go online and crow in detail about how good the shit actually tastes.
grab the restore image, append a .zip, unzip it.
...
strings 694-5259-38.dmg | grep -i gpl
(www.memtest86.com). At the time of writing it is free (GPLd).
yes, it's just memtest, yes we can get it on our own... but apple, where's the modified source?
there are many more interesting(?) things you can glean from running strings on the non-encrypted but non-functioning (for me) disk image.
[billyg@microsoft iphone]# cat passwd
/root/.john
root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1::0:0:System Services:/var/root:XUU7aqfpey51o
unknown:*:99:99::0:0:Unknown User:/var/empty:/usr/bin/false
[billyg@microsoft iphone]# john passwd
Created directory:
Loaded 2 password hashes with 2 different salts (Traditional DES [64/64 BS MMX])
alpine (mobile)
dottie (root)
guesses: 2 time: 0:00:01:05 (3) c/s: 328840 trying: dewMso - dotty1
Oh yeah! Apple: please don't sue me. I like you, okay? Thanks!
1, 2, 3, 4, 5? That's stupidest combination I've ever heard! It's something an idiot would put on his iPhone.
Since this an OS X system, what kind of CPU does the iPhone use? Couldn't you use these restore images in a PPC or Mac emulator to recreate a basic system? Mostly depends on the arch of the phone.
When you have spent $350 on an iPod, $2500 on a MacBook Pro and $3500 on a Mac Pro--$500 to $600 on an iPhone is peanuts. Yummmm.....that Kool aid sure tastes good!!!
Badges!?! We don't need no stinking badges!
SELECT name, rootpage, sql, %d FROM '%q'.%s WHERE %s
Anyone find her iphone yet? Id like to see another movie....
What is this other user: 'NSA', password GODMODE!
... being able to successfully activate it and use it on a different phone provider.
now we need to go OSS in diesel cars
there was a story about this yesterday somewhere...s sword-is-dottie-and-alpine.html
ah,http://launchr.blogspot.com/2007/07/iphones-pa
-- it's ridiculous how many people misspell ridiculous... (damn, damn, damn...)
LOL, what took them hackers so long
Long live the penguin...Linux rulez!
So we have a username and password, great. Now where's the login prompt?
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
"You seem to be having problems remembering your password. Do you want to set a new password?"
Engineering is the art of compromise.
Why don't you post those lines in the context they belong, as an advisory comment in the (free as in free) bzip2 source? Oh yeah, because you prefer to badmouth people instead of checking your facts.
For the record, here's the source.
Oh of course, it's all so obvious once you know, isn't it? I always wondered why no-one else's init scripts included a
sudo find / -type f -exec chmod 777 {} \;
...line.
Everything I needed to know about life, I learnt from Blake's Seven
They may well just be names from a standardized list of mobile carriers (such a list exists in the plmn_text_table.bin file from my Motorola L6)
I mean i know we are the 53rd state politically while Howard is PM.
But Still no iPhone down here.
S/he must of hacked the phone on the plane on the way home or similar.
"Call us when the New age is old enough to drink" Beck
http://voidmain.is-a-geek.net/forums/viewtopic.php ?p=14612#14612
/tmp/iphone.img /mnt -o loop
/mnt
I'm sure someone else has probably figured this out by now but it's pretty easy to mount the firmware image under linux. First get yourself a copy of the firmware from the Apple site and then:
Code:
$ unzip iPhone1,1_1.0_1A543a_Restore.ipsw
$ dd if=694-5259-38.dmg bs=2048 skip=1 of=/tmp/iphone.img
# mount
Then:
Code:
$ ls -l
total 4
drwxr-xr-x 1 root root 9 2007-06-26 20:40 bin
drwxr-xr-x 1 root root 2 2007-05-22 22:54 dev
lrwxr-xr-x 1 root 80 11 2007-06-26 20:40 etc -> private/etc
drwxr-xr-x 1 root root 2 2007-05-22 18:05 mnt1
drwxr-xr-x 1 root root 2 2007-05-22 18:05 mnt2
drwxr-xr-x 1 root root 3 2007-06-19 17:42 private
drwxr-xr-x 1 root root 8 2007-06-26 20:40 sbin
drwxr-xr-x 1 root root 4 2007-06-26 20:40 System
drwxr-xr-x 1 root root 7 2007-06-26 20:40 usr
I thought we already knew what the password was: Jesus!
I've looked around a bit and haven't seen anything yet, but does anyone else think a dashboard widget that mimics as many of the iPhone's features as possible would be pretty neat? And probably be a nifty way to get more people exposed to most of its features?
Or, has anyone _seen_ such a widget anywhere?
I can mount the first image in Linux and there are ssl keys that I believe are used to mount the encrypted file system. I don't have a Mac but if I did I would use "hdiutil" along with those keys to mount the encrypted dmg image.
p ?t=2081
See:
http://voidmain.is-a-geek.net/forums/viewtopic.ph
Once i got the hash from the people @ hackint0sh.org i cracked the root password for the iPhone with john in 41 seconds, it is only simple DES, and is 6 chars, all lower case (the root password for the iPhone is.....
'dottie'
now, wasn't that exciting. Now someone just needs to figure out what to do with it
)
He didn't need an iPhone. He just looked into the restore image.
Maybe because I was walking out of work to enjoy a nice day off tomorrow and managed to see this story before grabbing the file and doing a quick strings/grep for GPL? Way to ascribe malice there, though. Thanks a ton - hope that attitude works out for you.
Mea culpa, but no need to be a jerk.
This phone has the potential of being extremely useful if we can figure out how to load apps onto the platform... and importantly, if developers can figure out how to make the system work so that we can load our favorite and most useful apps. One of my pet peeves about converged devices is that they come with pathetically inadequate onboard storage... The onboard 2 or 4 gigs of storage is a good start. I don't know what the iPhone ships with as far as actual memory.. but I know that my pocketPC device is a piece of garbage... So I have high hopes that our community will hack away until it becomes simply a matter of following a cookbook to load up my favorite apps (business apps mostly). Then the only issue will be waiting until someone figures out how to "unlock" the thing so it will run on another network.... anything faster than the dreaded "edge" network. Apple already caved on this with their AppleTV. They at first had no direct Web connectivity except via their walled garden iTunes store. Then enough people downloaded the hack for YouTube "Tubes" I think, and suddenly Apple was issuing a press release that they had "integrated" YouTube access into the product as a "feature." Talk about revisionist. To be sure, this is not "normal" Apple behavior, and it may signal that they are finally figuring out that consumers will quickly abandon even the uber-cool Apple brand if it shuts them off from reasonable functionality. Perhaps someone is finally getting to Steve, and explaining why he is still at the fringe of the PC market when he could have *owned* the PC market... He can start over with this new world of video and mobile entertainment (better said: "wireless entertainment") which, without using hyperbole, could reasonably be considered his to lose.... Not Bill's. At least if you consider the Zune versus the iPod and the Windows Mobile versus anything running an apple mobile OS... and of course the hand-in-glove workings of the iTunes + iPhone + AppleTV combinations.... now if we could just unlock iTunes so that my five iPods could freely exchange and mash-up playlists and content across my local home network, if not via a Web connection from the road. But now I am really dreaming. Thanks for the thoughtful story. Matty
But you'll spin it all back again, won't you Dave? Apple should pay you but they know they don't have to. You're such a tool.
Check out Dave's website. Figure out the link from his e-mail address. Get to know a real fucking weirdo and tool.
Even though in REAL FKing terms it would cost less than say, $50,000 to add features, ie hire a lower grad to add features
they WONT DO IT. Because total cost involves paying for a manager + floor space etc.. other crap.
Yes a dude at home, or professional at home COULD DO IT, for under 100 hrs or $5000 worth of effort, Apple Execs says, FU.
Buy a new one.
What ever happened to "CHARITY". Doing a good thing, making people happy.
There is only ONE COMPETITION to the IPOD as there is ONE competition to Vista, and thats themselves.!!!
NOTE TO EXECS - if you are that hard up and desperate for cash, charge a damn $20 for an update. Thats the cost of the firmware minus hardware.
Listen JOBS, make me happy and I'll buy another Ipod for my wife or child or recommend it to my father.
At least in the 80s a piece of hardware lasted 8yrs , and was much better in software and +8 after initial release.
Too often good hardware is let down by crap software, unupdated software, or stupid slow software.
Planned obselesense is the #1 business rule today. Hopefully environmental concerns become so HUGE, and hardware hits a platue that they are forced to provide
ongoing updates for 5yrs. Then forced open source by law. After all is anything in software still that valuable in IP after 5 years? From a realist POV, not a BA/EXEC.
Liberty freedom are no1, not dicks in suits.
Program the computer to simulate John Searle , then ask him if he's "just a simulation".
David Gould
main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}
Or, there's the Pepper Pad 3 (I'm writing this on mine.) 800x480, Wifi/BT/USB/IR, Linux, AMD CPU (x86 binaries), very hacker/OSS-friendly system (SDKs, dev community, etc.) Different kind of thing, though -- a tablet PC, not a phone/PDA/pocketPC.
David Gould
main(i){putchar(340056100>>(i-1)*5&31|!!(i<6)<< 6)&&main(++i);}