Obviously notorious George Hotz has managed to get all 7 SPUs of the Playstation 3’s CPU under his control. This means although he cannot access the CPU’s root key, he now can decrypt everything that’s going thru these SPUs like datastreams of (encrypted) commercial games.
The PPU is higher on the control chain then the SPUs. Even if checks were to be added to, for example, verify the hypervisor before decrypting the kernel, with clever memory mappings you can hide your modified hypervisor.
In the meantime another hacker going under the nick XorLoser has released a more detailed manual of how to use GeoHot’s exploitation files and how to do the glitching.
Besides that XorLoser maintains a plugin for reverser’s beloved Interactive Disassembler (IDA) that contains special PPC instructions for Xbox360 and PS3.
Congratulations to GeoHot. Kudos fly out to XorLoser.
A cross-platform jailbreaking, unlocking, and customizing tool for iPhones and iPod touches. Customizations include boot logos, recovery logos, and “verbose” boot. It’s a standalone program that doesn’t use iTunes (no custom IPSWs are involved).
The download links are at the bottom of this page (but please read the whole page anyway!).
We’ve been offering redsn0w in various incarnations over the years (including poorlad’s Windows version of QuickPwn). The most recent release before this one was redsn0w 0.8, which targeted Apple firmware 3.0/3.0.1.
Notorious iPhone hacker GeoHot has succesfully circumvented the Playstation’s security system. According to his latest blog entry, he has dumped LV0 and LV1 code, thus allowing him to (theoretically) run code on the processor, bypassing the hypervisor.
The Playstation’s hypervisor is intended to run third party software (like Yellow Dog Linux) on a virtualized level, thus maintaining system integrity and protection of the host system. Within this virtualized environment arbitrary access to certain hardware devices has been disabled, thus allowing only basic access to the graphic processing unit (GPU) for example.
GeoHot seems to have broken the chain of trust. This means he can bypass the hypervisor to directly access hardware like the GPU with his custom code. Anyway he has not released any further information or proof of his work. But hey, it is not anyone, it is GeoHot, so it seems solid.
We compiled some links for people being interested in the hypervisor protection topic.
That means all carrier or SIM locked iPhones around the globe running this latest firmware can be used with different SIM cards from different carriers. Thus making holidays no roaming fee horror show.
Information about the unlock procedures will be released on BlackRa1n.comon Nov 04, 2009. Until then, enjoy GeoHot’s video proof:
Kudos fly out to GeoHot. Standing work, dude. But why the hell is there always Snow, Rain, Snow, Rain. Why no sunshine, guys?
Today notorious GeoHot released a standing new jailbreak tool called BlackRa1n. BlackRa1n is currently only available for Microsoft Windows. It is supposed to jailbreak any 3.x based iPhone or iPod touch. No matter if you’ve jailbroken before or not.
BlackRa1n is fairly self explaining and straight forward designed. It’ll bring your iPhone or iPod Touch automatically into Recovery Mode.
Sadly currently BlackRa1n does not hacktivate your iPhone. So you still need a valid subscription with an Apple licensed carrier or a factory unlocked iPhone.
GeoHot today posted a photo of a jailbroken iPod Touch running iPhone OS 3.1. He eventually made it. As of now there is no more information available, but it is likely that this is the approach he and the Chronic Dev Team were talking about.
Some irritation is going on in the Apple hacking community. On the one hand GeoHot today announced that there will be a tool that will allow jailbreaking all iPhones and iPod Touchs, but as he wished to perform further tests he didn’t tell anything about the procedure.
The Chronic Dev Team on the other hand who seem to have been working together with GeoHot now released the technical details about this hack. Sadly as there is no GreenPois0n tool available as of now, the technical details are most likely useless for 99,9% of all iPhone and iPod users.
Reasons are unknown why the Chronic Dev Team released the information before a tool has been finished. But it seems GeoHot is not amused by taking these steps.
Update 2009, Oct 19th:GeoHot and the Chronic Dev Team tell they have independently found the bug that allows for jailbreaking the 3.1 firmware.
Enduser compatible information
According to mFX.ch (german only) the forthcoming GreenPois0n jailbreak tool will not require to bring the iPhone into DFU mode. The GreenPois0n will be released on the PirateBay*.
Update July 5th, 2009: GeoHot now also provides a Mac OS X version of the jailbreak tool. Windows and Mac versions ready for download at purplera1n.com…
That’s it with the 3.0 firmware and the iPhone jailbreaks. Apple has been beaten again. This time by GeoHot. Although the iPhone Dev Team seems to have their programs already prepared they preferred to wait with the release of an updated PwnageTool. GeoHot did not wanna wait and decided to release a Windows based jailbreak tool for the iPhone 3Gs called PurpleRa1n.
All three iPhone generations can now be activated, jailbroken and unlocked with the current firmware 3.0. Currently for the iPhone 3Gs there is only a Windows version available that is under strong beta testing. Anyway you can give it a try. The security whole that gets exploited in the iPhone 3Gs is well known as the 24k bug that has been found in january in the iPod Touch 2nd generations.
GeoHot posted a picture showing that he managed to run custom commands on iBoot. This seems to be the first major step for a jailbreak. Moreover GeoHot also managed to find the key for the Ramdisk while MuscleNerd of the iPhoneDevTeam obviously has already found the vfdecrypt key.
All this is good news. Anyway aswell as GeoHot and the DevTeam will have lots of work to do. Don’t expect anything soon, since GeoHot also found a new security addition called ECID, which obviously gets generated by Apple’s servers and which seems to be unique to every iPhone. Every restore seems to have to be validated by Apple’s servers. And this is bad news.
Although we didn’t get our hands on a new iPhone 3G yet, things are as expected: the iPhone 3G uses a new bootloader for its baseband modem as confirmed by Geohot.
Bootloader versions from the “old” iPhones
As far as we are aware the there are those 3 different bootloader versions known on old iPhones:
3.8 (very rare)
3.9 (iPhones before november 2007) and
4.6 (iPhones after november 2007).
It is widely known, that exploits for these old bootloaders have been found, that allow to SIM unlock any of these old iPhones. No matter which software revision is running.
No Unlock for iPhone 3G, but for old iPhones
For the new iPhone 3G bootloader, there is no (public) exploit known yet. Although the iPhone Dev Team states they can unlock firmware 2.0 – the unlock is most likely meant to work on “old” iPhones only. The only exploit yet known (in both old and new iPhones) is an iBoot bug. The iPhone Dev Team provided a video showing Pwnage Tool neutering the baseband for firmware 2.0:
Video: Pwnage Tool Bootneuter on firmware 2.0 (on an old iPhone)
The Pwnage Tool 2.0 (and Geohot’s yiPhone) will most likely feature an iBoot bug to jailbreak old and new iPhones. iBoot is needed by iTunes to talk to when restoring firmware. About a year ago, Geohot found out that iBoot provides a full interactive shell. The only problem was, iBoot only allowed signed code to run. The iPhone Dev Team now managed to break the chain of trust from the earliest boot stage. Thus allowing to run unsigned code and in the end jailbreaking old and new iPhones (see video):