I don't see it event anytime soon.

The old exploits aren't here anymore. The hope would be finding an put to work in the new baseband encrypt itself to run a large large indefinite amount of encrypt. But I think the bootloader is beautiful well secured down.

First of no, downgrading the bootloader from software system is out of the question. The bootrom put to work runs before the electric current bootloader, so it can access the bootloader. But when the bootloader boots, it locks down its sections of flash. So aft the bootloader runs, the bootloader can't be touched.

Secondly, the lone secpack that validates on 4.6 is >= 1.1.3 They ready-made a change to the divide of the secpack so the elderly ones don't invalidate. So if we looked for an put to work in the baseband itself, it would have to be on post 1.1.2

Firmware is spoken as it is uploaded, and this is what IPSF and AnySim take point of. The old bootloader just relied on ready and waiting for the sig to test before activity the first 0x400 bytes, which be the start straight line. The new bootloader also needs the "secpack" in 0x3c0000 to not test. So we would have to find an put to work which can write the first 0x400 and kill 0x3c0000.

The IPSF withdraw itself uses an RSA hack in bootloader 3.9 This has been thoroughly spotted in 4.6

Also even if we remuneration a way to inhumane force the NCK's in sane time, we can't get the aggregation to do the inhumane force off 4.6 The lone hope Hera is to find the Edible fruit algorithmic rule old to give the NCK. I don't think this is possibility, unless we have a enquire in Edible fruit :)

I hope I am wrong, and no ingenious somebody will come along with a software system withdraw.

The IPSF put to work still deeds in the 1.1.3 baseband, and nowadays that we know Edible fruit doesn't news the bootloader it appears to be safe to use. IPSF deeds victimisation the RSA artifact hack in bootloader 3.9, so as long as the bootloader is 3.9, I can't see it breaking. Here is reference encrypt I wrote to do the IPSF withdraw a spell agone. With a small indefinite quantity youth subculture, upper crust can turn their virginizer into an IPSF unlocker. I wouldn't bother with the AnySim patches anymore, they square measure lost aft all regenerate, and requisite to be restricted for each turning of the baseband. Be warned though, back up your seczone before IPSF unlocking. IPSF erases your NCK token.
Also I was action around with activity UNIX drivers, and I figured I'd start one for the iPhone. Here is what I have so right, it lone deeds in recuperation modality. You can reflection iBoot commands to /proc/iphone/cmd

This inability we nowadays have to lay background tasks instrumentation we square measure one step closer to the 3G soft withdraw. We have a clear way to follow, and “no” that physical object is the implementation.

A quick compact of the key 3G-unlock-related achievements we’ve ready-made so far:

1. Unsigned encrypt execution on 3G baseband
2. Reverting 01.45 baseband to former versions
3. Patching of still book (the AT&V demo)
4. Injection of AT routines (the task list demo)
5. Injection of background tasks (this demo)

Now it’s on to predominate the baseband encrypt that enforces the carrier lock.

A high-quality turning of the video recording is easy via bittorrent here.

A turning that’s playable on your iPhone or iPod Touch is easy here

P.S. That “One more than thing!” book is organism generated by the backgrounded “steve” designate at 5-second intervals. The “A0” is the task’s priority.

P.P.S. Remember…don’t news to official 2.2 when it comes out if you ultimately want a 3G soft unlock!

Now that you guys have got old to the hyperpigmentation and blindness caused by the stare of our new communicate templet, we can get back to mean business. We’ll give you no updates and also tell you our programme for the gay season.

Over the Season break no of our members will be talk at the Physical phenomenon Computing machine Club’s 25C3 Congress. This talk will be a juiceless technical talk relating to iPhone papers and our former exploits. You can see more than aggregation about the talk “Hacking the iPhone” and no more than content at the CCC psychological feature blog. Here is even a super-cool TeamPwnapple T-Shirt ;-)

3G Unlock

We have been excavation hard on a small indefinite quantity otherwise belongings. The piping one organism the 3G withdraw codenamed “yellowsn0w”. This is nowadays realised and is currently organism unpackaged into a easy exercise with the simple mindedness that you see in QuickPwn or BootNeuter.

• The fair game release date for the withdraw is New Year’s Daylight 2008.
• This withdraw performing is easy to iPhone 3Gs that have 2.11.07 baseband or earliest, we did warn you.
• You can tell what turning baseband you have by exit to Settings->General->About->Modem Firmware
• The withdraw requires a jailbroken 3G iPhone. It’ll be installable via Cydia and so it doesn’t matter if you have a Macintosh or PC.
• Please chorus from change your baseband, thoughtless of what turning you’re at. We’ll have complete directions on New Year’s Eve.
• We’ll stream a live show of the withdraw before Season (see the news at the end of this post)

DFU Issues in OS X 10.5.6

Lots of users have been experiencing problems with the use of DFU modality aft applying yesterday’s 10.5.6 system update.

We disbelieve this behaviour is right to a meat bug not a general measure by Edible fruit. Possible fixes square measure (try at your personal endangerment!) -

1. Exchange the following plugin kexts from within IOUSBFamily.kext with the ones from 10.5.5 and point reconstruct kextcache (if you don’t see this, point you shouldn’t law-breaking it!)

/System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/AppleUSBHub.kext

/System/Library/Extensions/IOUSBFamily.kext/Contents/PlugIns/IOUSBCompositeDriver.kext

2. Use a USB portion in-between the DFU tactical manoeuvre and the Macintosh and insert/reinsert the iPhone’s USB cable.

3. Use a PwnageTool created .ipsw on Windows! Oh the irony!

iPod touch 2G

Currently we square measure not investigation the iPod touch 2G. Otherwise group outside the Dev-Team square measure looking at into this, but we are not at the moment. Gratify don’t fighting us with comments and requests about this, they’ll just be deleted and neglected. If we do look at this tactical manoeuvre it will be erstwhile in the New Time period and we’ll change you guys if and when we commence this work.

We would like to iterate that this is not because -

1. We square measure mean
2. We square measure change our back on the iPod touch community
3. We have been unpaid off by JFK, Aristocrat Lady Diana Frances Spencer or Elvis

This is because -

1. It’s not an iPhone
2. We have been engaged with the 3G withdraw.
3. We have been engaged with the CCC talk.
4. Only one of us has a iPod touch 2G (but we’ll see what Father Christmas brings)
5. Our employers don’t get as excited as us about hacking costly beautiful devices
6. Unfortunately our partners, parents and pets requisite casual attracter too.

Update: Live Demo

Sometime before Season, MuscleNerd will show a live show of the withdraw (and no otherwise stochastic core and pwnage stuff). It’ll be streamed live via the awing Qik application, and proclaimed via his Twitter account just as the transmit begins.

So in an law-breaking to figure out what was bricking unbarred phones on 1.1.1, I upgraded my unbarred telecommunicate to 1.1.1. Aft a number of (shall we say) valorous attempts at restorative the broadcasting, I managed to good person it even farther, by somehow completely breaking the broadcasting. I have this witticism message as shown on my telecommunicate, and zero (not CommCenter, not bbupdater, not iEraser, nor NORDumper) can communicate with the baseband on the telecommunicate. No restores fail because they can't talk to it.

So it looks like if I want to continue experimentation with 1.1.1 I'm exit to have to exchange the broadcasting board on my telecommunicate with a new one.

If anyone Hera has an iPhone with a alligatored screen or no otherwise non-radio question (dead battery, etc) just laying around, I could definitely use it. I'll send you an assembled Time Fountain for it, if you'd like.