Guide To Building a Cable That Improves iOS Exploits

mask.of.sanity writes "An Aussie network engineer has published a guide to building a serial cable connector that allows access to a secret kernel debugger hidden within Apple iOS. The debugger was a dormant iOS feature carried over from Apple OS, and seems to serves no function other than to allow hackers to build better exploits. The cable needs an external power source and a jailbroken device to access the debugger." We've mentioned Pollock's serial adapter kit before, modulo the kernel debugging abilities.

Chicken and Egg?

Wait... so in order to use the cable to find exploits, you need a jailbroken device. But in order to jailbreak your device, you need to first find an exploit.

* Yes, I do know that there are other ways to find exploits...

Having to jail break your own freaking phone

[roman_mir]

It's amazing that Apple and Jobs in it are so shortsighted that they don't provide official tools that people want. Of-course they have contracts with AT&T and who knows what else, that's most likely why they don't want to let people use these devices as general purpose computers, so that normal apps could be executed (and then you can use Skype or whatever to go around long distance phone charges obviously). But still, this is just so screwed up that a company would not see that it is in its best interest to sell the phone with the maximum possible features in it. OK, have an official Apple utility to so called "jail break" the thing and enter another lucrative market of various adapters and gadgets that could be then used together with the phone.

These devices are general purpose computers with wireless access and an odd phone application installed on them. Let the people use them the way they want to.

Of-course the unwillingness of Apple to allow people to use their own freaking product the way they want to provides HUGE market for all the other types of phones (Android) to fill that gap. It's just the short-sightedness of Apple is amazing in this instance.

Re:Having to jail break your own freaking phone

[Haedrian]

Even over a year after the iPhone 4 came out, it's still outselling individual phones from the likes of HTC and Samsung.

Its not such a good comparison. Here's why. You use a smartphone to run certain programs on it (or to look good or whatever).

If you want an Android phone, you have tons of choice. Most of them will run the same software, and so you just choose your price range or whatever.

If you want an iOS phone you basically either buy second hand, or buy the current iPhone.

So the iPhone isn't better than 'individual' phones, its just the only choice you have if you want iOS

Re:Having to jail break your own freaking phone

[Graff]

I made an assumption that there is a market for more open phones and I believe, (maybe incorrectly), that Android based phones are more open than iPhones. I could be wrong, but that would amaze me actually. They are not more open?

They are as open as each individual manufacturer wants them to be - which, in many cases, is pretty damn closed up.

Sure there are ways to open them up, just like you can open up the iPhone, but it's not a simple process on a lot of them.

Re:Having to jail break your own freaking phone

[roman_mir]

To continue my line of thinking - I wouldn't at all be surprised if at some point it came out that Apple is actively involved in providing ability to quickly jail break the iPhones and other devices that Apple sells on their own to the community through proxy.

Would you be surprised to find out that they did that? To me it seems that the only logical explanation as to why Apple is even locking the phones at all would be 2 fold:
1. Some government regulation.
2. Some private contract with a phone company, like AT&T to prevent Internet enabled phones from cutting into long distance call profits.

So in that case, if Apple wanted to increase its market share while still technically be bound by the above reasons to not allow the phones to be completely open, it would make sense for them to provide ability to jail break those phones by proxy and not openly on their own.

What we know about open and free software likely applies to all other aspects of economy. The more open a platform is, the more users it will have given all other things being equal. I am sure Apple does want a piece of that after market as well.

Re:Having to jail break your own freaking phone

[Rennt]

They are as open as each individual manufacturer wants them to be - which, in many cases, is pretty damn closed up.

Not anymore. HTC put out an official statement back in May (issued by the CEO himself) that they will not be locking the bootloaders on any new devices. Samsung responded in April with a similar (albeit unofficial) statement.

Motorola are the only manufacturer who seem to be stuck in the "don't give the customer what they want" rut, but they haven't exactly been setting the Android world on fire since the original Droid.

Re:Having to jail break your own freaking phone

[Richard_at_work]

What is it that "we geeks" get?

I had both an iPhone and an iPhone 3G, before getting pissed off with iOS 4 on the 3G enough to decide to try out the Android side of the story.

I acquired a new HTC Desire in February, and merrily set about using it as my main phone. Today is the 8th of August, so I have been using my HTC for around 6 months as my main phone - and the conclusion I have come to is that I absolutely hate it.

I have to dig around in subscreens to get to the apps I want - on the iPhone I just scroll left or right on the home screen, but on Android I only have six homescreen slots for apps, the other home screens are taken up with applets, mail and other shite, so I have to open the apps screen specifically, and then dig around in there.

The back button on the HTC is unbelievably broken - it entirely depends on what you were doing before as to what action it has. Does it return you to the home screen or to the previous page in the app? It depends! For example, I get a text message while my phone is locked - I unlock the phone and the message is displayed. I now want to refer to another message I have received previously, and since I am in the SMS app (as that is what is loaded), I click the back button to get to the message list. And I get dumped to the phones home screen instead. If I open the SMS app myself, the back button works as expected! Lots of examples such as that.

The Android Market Place is a terribly poor user experience, I utterly hate using it - its hard to find apps, its hard to search, its hard to preview apps. The AppStore just seems so much better put together, especially when browsing from the device itself!

I have had far far more interface issues with the HTC than I did with either of my iPhones - for example, the other day I was on the phone to a colleague, and the call dropped - but the HTC wouldn't let me hang up! It was sat there on the call screen, with the "End Call" button active but nothing on the line - and each time I clicked "End Call" it would briefly blank everything and then the call screen would reappear. This has happened to me several times.

The screen locking is poor - I cant count the numerous number of times I have taken my HTC out of my pocket to find my penis or keys had randomly dialled someone, or started to write an email. And yes, I am sure the phone was locked (prime example of this happened to me earlier today - I ended a call, locked the phone, put the phone in my pocket - 5 minutes later, I take the phone out to make another call and the phone is unlocked and halfway through a gibberish email).

The HTCs touch sensitivity seems to wildly vary depending on what you are doing, and buttons can be hard to actually get a press confirmed on - plus the onscreen keypad isn't anywhere near as good as the iOS one.

Thats just some of the issues I, as a "geek", have with my Android phone - I desperately want to go back to an iPhone...

Re:Having to jail break your own freaking phone

[Haedrian]

He used the assertion that it outsells "individual" phones as proof that apple got their strategy right. I disputed the his proof and not the conclusion.

If you notice his second sentence was "People want" which is a stepping stone based on how they're purchasing iPhones more than any other individual phone.

Re:Having to jail break your own freaking phone

[Sancho]

The back button was a great idea that had horrible consequences, in part because of some underlying Android fundamentals, and in part because the implementation of the back button's behavior is developer-determined.

Apple's App store prominently features high-quality apps on the front page. If the app isn't on the front page, it's not much easier to find than on Android, except that there's a lot more cruft on Android. Generally, if I search for anything on Android, I'll get tons of wallpaper or other apps which have nothing to do with my search terms and are only cluttering up the results.

Debugging circuitry...

[Zapotek]

...exists in pretty much all phones (amongst other devices) although most would require some soldering on the PCBs, they are also used for forensic investigations -- or have completely separate circuits used just for forensics.
I don't remember much to be honest (like protocols etc) but I remember it from a forensics class I took.

The only surprising thing here is that they allow access to that circuitry via the normal device ports.

Re:Debugging circuitry...

[Graff]

The only surprising thing here is that they allow access to that circuitry via the normal device ports.

This is not debugging circuitry. This is a normal serial interface that has been known about for a good long time and is even talked about in Apple's documentation. You do need to have a breakout cable to access the serial lines but once you have that it works just like any other serial port does under Darwin.

Re:Debugging circuitry...

[TeknoHog]

The only surprising thing here is that they allow access to that circuitry via the normal device ports.

This is not debugging circuitry.

A lot of devices have TTL level serial ports hidden somewhere, so I would presume they are there for debugging purposes. Most computers haven't had serial ports in years, but new devices keep popping up with these TTL ports, so I guess the idea is to reserve it for professional uses. One nice thing about this discrepancy is, when all of your serial ports are TTL level, you don't need level converters.

Re:Debugging circuitry...

[drinkypoo]

Most serial ports these days will accept a 5V signal, so if it's actually TTL then it works. A crapload of small devices have ~3.3 volt serial ports on them for debugging (e.g. Dockstar) and you need to shift the levels before even a particularly tolerant serial port will work.

Re:Debugging circuitry...

[petermgreen]

Most serial ports these days will accept a 5V signal, so if it's actually TTL then it works.

IIRC most logic level serial is inverted compared to RS-232 (because most RS-232 level shifters are inverting) sometimes you can reconfigure the logic polarity but if your device doesn't allow that then you would need to add an inverter (at which point you may as well add a level shift chip and do it properly IMO).

Also note that while TTL ran off 5V the logic levels it used were closer to 3.3V cmos than to 5V cmos. Indeed it is pretty common to use 5V cmos devices with "TTL compatible inputs" to convert a signal from 3.3V logic to 5V logic.

Re:when i think back to years gone by

[The123king]

The opinion that Jailbreaking is "stupid" is exactly that, an opinion. There are many reasons to jailbreak, and in reality, you're only more vulnerable than unjailbroken iDevices to viruses if you don't change your default SSH passwords[1]. If you don't do that, then it's you who's stupid. [1]http://news.bbc.co.uk/1/hi/8373739.stm

Re:when i think back to years gone by

[qxcv]

That's like saying "Windows Vista doesn't get viruses if you use a Microsoft Certified Firewall Solution, Microsoft Certified Anti-Virus Solution, only install Microsoft Certified software and don't open files from outside your own network in addition to exercising due diligence and having your computer serviced by a Microsoft Approved Technician weekly."

Also: jailbreaking uses the same mechanism as viruses do to get onto your iPhone. A virus could well jailbreak your iPhone and install itself without you even knowing given an appropriate exploit (such as the Adobe Reader exploit from a while back).

Schematics

[psergiu]

We want the schematics for the "hacker cable".
The schematic from the link in the TFA, ( http://www.ionetworks.com.au/files/serial_port.pdf ) using pins 12 & 13 of the dock connector is for a "accessory connection" cable and can be used from a jailbroken iPhone with /dev/tty.iap but the bootloader won't send anything on those pins at startup.

Re:when i think back to years gone by

[itsdapead]

I remember the days when apple play commercials claiming their OS don't get virus's, malware, etc.

That was in the old days when major Windows applications required you to run as administrator, when mail messages could silently install software and an unpatched XP machine connected to the internet would be infected before you had a chance to download the patches. Win 7 has done a lot to reduce that, which may by why Apple dropped the ads...

An iOS exploit that requires physical access to the machine, a custom cable and only works on a machine which has already been jailbroken (i.e. deliberately cracked by the legitimate user) isn't exactly in the same league as the sort of remote pwnage seen on PCs in the Bad Old Days.