How the Devteam Conquered the iPhone

&gt; HELP WANTED: If you happen to know why -0x400 trick works, or can get in touch with Geohotz&#x2F;MuscleNerd, please let me know. I have tried to ask around but have not found any explanation. I would be happy to update this article if someone knows.<p>This is commonly done with fw updaters. first 0x400 bytes is a header that the earlier stage loader needs to see before it&#x27;ll allow this stage to boot. So you RX the data, write it freely, just not the header. This is safe and will not allow any code exec since the header is missing. then at the end you sig check the whole thing you wrote, and if it is good, you write the header, making the whole image valid.<p>the trick here is you write 0x400 bytes of garbage first, 0x400 bytes earlier than your desired write. this is buffered but not written (treated as the headers). The rest of what you sent IS written (writing what you wanted where you wanted). then sig is checked. you fail. the first 0x400 is not written (and you did not want it written).<p>win

Well written and highly detailed description, as always with Fabien&#x27;s work.<p>I remember seeing the investigation on this iPhone protection back at the time, what a journey it has been since this work.<p>Also, I hope someone can provide more information about that minus 0x400 shift before data write so it would be completely explained.

Just for history’s sake: I wrote iPHUC (and yes I was 19 and came up with that name lmao) and a guy with the nic “nightwatch” who I loved working with was responsible for the initial jailbreak and coining the term itself. I believe he was also responsible for pdf or tiff exploits that unlocked the PSP, too. He worked and lived in South America possibly at a university … but that’s all I know.<p>It was a really fun time and I learned a lot.<p>Also, George Hotz endangered the welfare of a few people who had kindly gotten us access to some documentation in Japanese despite repeated pleas not to do so. Very frustrating and why the dev team all eventually stopped working on the project.

&gt;These three fields would be concatenated into a token. The token would be sent to Apple server (albert.apple.com) where it would be signed with Apple&#x27;s private key. The signed token would then be sent back to the device. A daemon lockdownd, listening over USB verified the token using Apple&#x27;s public key. With the proof that the token came from Apple, and matching DeviceID, IMEI, and ICCID, lockdownd updated the device state to &quot;Activated&quot;. The user then had access to the iPhone homescreen and the apps.<p>Sounds like the pre-cursor to oAuth now days.

Ah, the good old days. Back when iPhone hacking was easy…well not easy, but far easier.

Anyone know what tool they used to make the flow diagrams? They seem to be text based and might be superior to mermaid.

One anecdote I remember was when the release of iPhone OS 1.1 broke jailbreak and I was on the IRC channel: one of the tricks found was to downgrade to 1.0.2, jailbreak the phone, symlink the `&#x2F;root&#x2F;Media` directory (reachable through iTunes) to `&#x2F;` which was preserved during an upgrade, then do a firmware update and have access to rootfs then.<p>(Yep, it was called iPhone OS back then not iOS.)

The “S” in original iPhone is for security. All in the name of shipping out that first product.<p>Just like car manufacturers. Never buy the first few model years of a new product or platform.

Those were the days. :)

fuck this was a beautiful trip down memory lane thanks for the work putting and narrating this story so well. I remember following the progress half way across the globe and doing the hardware soldering hack on my 1st-gen, then good ol&#x27;d Cydia days. Can&#x27;t process how young these people were and how they knew how to do such low-level investigative coding. I remember back then I was doing .NET c# and thought i&#x27;m the boss, humbling.