cmw has released a beta version of Winpwn 2.5. The guide can be found here.
NOTE: The software is still beta, so use it at your own risk.
I have a package that enables Rogers WAP $7.00 package like the USA T-Zones package but I need a tester that is in Canada. Here are the requirements of such a tester:
1) Knows how to use SSH and can type in a command that I give them without questions.
2) Has Rogers and orders rogers WAP and can verify that it is actually active on the SIM card.
3) Has iPhone OS 2.0 or later on a jailbroken iPhone.
If you believe you fit these criteria and are interested in helping out, please drop me an email.
BossPrefs Bypass Phone Lock
As we are working on categories for 2.0, I would like to replace all the icons I provide with some that make more sense. Therefore, I am asking for artists that wish to be part of the project to come forth and provide some icons that they would like included. For those that don’t know, categories is an app that provides folders on your springboard. Things like: games, apps, misc, settings, docs, internet, speed dial might make good categories. Here are my favorite icons to give you an example.
Notice the folder theme. Anyways, if anyone would like to contibute some icons please just make them around 60×60 png files (57×57 I think is standard size) and email me a zip of them here.
Planetbeing wrote an outstanding post on the simularities and differences on pwnage, quickpwn, and ziphone. It is a very interesting read. The original post was here but you can read it here as well (posted with permission).
Similarities
Jailbreak
Both utilities jailbreak.
Payload medium
Primary jailbreak payload is placed into iPhone memory for both jailbreaks
Differences
Technique
ZiPhone uses, as the root filesystem device, a pseudo-device that provides a window to an arbitrary section of memory. This memory is not allocated or otherwise reserved by the operating system and hence will be used by other random processes in other random ways and will become more and more corrupted with every CPU clock cycle. The only safe way to use this is to mlock all memory used by the jailbreak binary as soon as possible, and then use data previously uploaded to flash. Anything else will cause either the jailbreak binary to crash at random moments or cause random data to be written to flash. I am not sure why Zibri elected not to implement ZiPhone in a safer fashion.
QuickPwn uses the same mechanism that Apple uses to send its update ramdisk. This memory is both allocated and reserved. It will not crash at random moments, or give you repeating BSD root errors. This is the way the XNU kernel is designed to use ramdisks.
Longevity
ZiPhone hinges on a BUG in iBoot that was quickly fixed by Apple.
QuickPwn uses an iBoot FEATURE that Apple cannot remove without rewriting their own software and undergoing lengthy QA. Even if Apple did change the architecture, it would be straight-forward to simply mimic what they do and adapt to it. The reason QuickPwn can do this is because it relies on a hardware exploit to bootstrap into this phase. Apple cannot fix this problem without changing the manufactured hardware.
Elegance
ZiPhone modifies an existing Apple ramdisk and ships it as a complete set.
QuickPwn contains all-original code and features a very tiny bootstrapper that allows it to use libraries and code that’s already on the iPhone.
Not only does ZiPhone’s distribution of Apple’s binaries violate copyright laws, it also takes up a large portion of room on the ramdisk that could be used for the payload. Keeping its existing algorithm, ZiPhone would never have been able to install Cydia, for example. The maximum feasible ramdisk size is 32 MB; Cydia takes 13 and Apple’s library take up a significant amount. With some work, Zibri could possibly make it just under the 32 MB limit, but with the large number of files in Cydia, and the large size of the corruptible area of memory, corruption would be inevitable.
Some history / A personal note
Zibri claims to have “invented the ramdisk jailbreak”. Even if this were true, it would have as much relevance to QuickPwn as the 1.0.2 jailbreak does: The techniques used are entirely dissimilar. Not a single step in the process is the same.
However, this is not even true. Before Zibri left, we already had a prototype ramdisk jailbreak in our SVN (which Zibri later leaked parts of). It was written by myself and stored under the very obvious name of “ramdisk-jb” and it contained a modified version of a launchd written by Turbo (who should be considered the father of the ramdisk payload). It basically untarred a SSH installation onto the rootfs. It was rudimentary, and required a lot of work to get up to production standards.
While it’s obvious that Zibri has picked every bone of that SVN repository clean, I am puzzled why he did not learn from that example source code. It had mlock and it was written in proper C, unlike the rather make-do replacement of launchd with sh. Perhaps he did not understand the code.
A week before his release, we became aware that Zibri was going to write a ramdisk exploit. We considered racing him to it, but we were constrained by the fact that we had already publicized one working method of jailbreaking: The oft-loathed 1.1.3 soft-jailbreak, which we considered perfectly acceptable until the release of the SDK (we were not aware at the time the SDK release would take so long). In addition, 1.1.3 was a minor update and there was no reason people could not stay on 1.1.2 for awhile longer. The issue is that while a ramdisk jailbreak would certainly be easier and better, we would be burning this great exploit that allowed us to reliably decrypt ramdisks (which we had no other way of doing at the time).
Therefore, we chose not to build our own implementation and instead pursue Pwnage, a longer term project. It was ironic months later that Zibri came to flame us out about releasing the dual-boot method, accusing us of burning the exploit. It was amusing because it was so much lower value than the ramdisk exploit, which he was responsible for burning and really had no future prospects because of pwnagetool.
We are aware that the dual-boot method was the last remaining bit of non-public knowledge from our SVN that he had, and my belief was that the flame was caused by his soreness at losing his last chance at remaining relevant after the pmd (”ramdisk”) vulnerability was patched.
T-Mobile changed their T-Zones IP address causing everyone’s T-Zones to stop working. Thanks to help from DR03, I have fixed this and posted a new T-Zones hack for iPhone OS 2.0. All you T-Mobile users still on 1.1.x, It’s time to upgrade. I don’t plan to release a fix for iPhone 1.1.x at this time. You can update easily following one of our many guides.
For 1.1.x users that really don’t want to upgrade, you can fix proxy.pac yourself but editing the file /var/preferences/proxy.pac and changing “10.0.0.0″ to “25.0.0.0″. (The 2.0 version is a bit more flexible allowing addresses from both 10.* and 25.* to both be covered.
Quickpwn v1.50 is out. Download it here. The updates adds a youtube fix and bootneuter option to unlock the 2g. I will test this late tomorrow when I get home from vacation. Refer to the quickpwn guide for assistance using the tool.
Pwnage v2.0.3 is out to support v2.0.2 firmwares on OSX. The guide is the same but the firmware support is expanded. You can download it via sparkle (the internal update system in pwnage). Or you can grab it off theiphoneproject.org here.
This version supports fw 2 .0.2, contains for installer 4 b6, and adds support for a bunch of .de language localizations. If you need a guide you can use our guide here.