Mac OSx86

Home > News > OTB 1.1.2 iPhone unlock: Bootloader exploits!

OTB 1.1.2 iPhone unlock: Bootloader exploits!

December 1st, 2007 macgeek Leave a comment Go to comments

You have probably heard that the Dev Team needs a 1.1.3 firmware update
for hacking 1.1.2 OTB. This could not be the case anymore!

2 theoretical exploits have been found on the new bootloader 4.6 !!
And you know what it means! 1.1.2 OTB Software unlock coming very soon!

Geohot reported that there are 2 possible exploits, hardware and software.
The next coming days should be decisive!

In the meantime, read this great tutorial for 1.1.2 OTB activation: click here

Read about the exploits in the extended post…

Hardware exploit:

The version check reads from 0xA0021000 and 0xA0021004 to get the version
of the main firmware. It then compares the values [0xA0021000]==~[0xA0021004].
If that check fails it ignores the version check. It is also the only bootloader access
into high flash. So when A16 goes high, pull any data line high or low.
That will cause the check to fail, and hence the version check to be skipped.
And they shouldn’t be any memory accesses in the bootloader, so it’ll be fine.

Software exploit:

This exploit is in the the way the secpack signature is padded.
They did a lot to remove the really bad signature checking of the old bootloader
that IPSF exploited. Although the secpack still has 0×28 bytes of data at the end
that isn’t checked for normal secpack sigs. The secpack sig is(0×30 header/padding,
0×14 main fw sha, 0×14 secpack sha, 0×28 unchecked padding).
So by spoofing the first 0×58 of the RSA, you can set any secpack and main fw sha hash
you want. It is very easy in exponent 3 RSA cryptosystems to spoof the first 1/3 of the
message bytes. With some clever math and brute force, the whole 0×58 can be spoofed.

Those findings have been reported by Geohot.

Share this post!

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/digg_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/reddit_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/stumbleupon_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/delicious_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/technorati_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/magnolia_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/google_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/facebook_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/yahoobuzz_48.png

http://www.macgeekblog.com/wp-content/plugins/sociofluid/images/twitter_48.png

Stream Audio, Photo & Video from your mac to any PS3, XBox 360, and more!

Earn money - Accomplish a freelance project

Categories: News Tags:

giz

is it now possible to unlock otb 1.1.2? where can I get more info?

macgeek

The goal is to unlock OTB 1.1.2 UK/FR/DE/US iPhones.

nuthinbetta2do

Will this method unlock U.S. phones?

macgeek

You guys want an official Apple unlock to be safe for the next coming firmware upgrades. Read this post: http://www.macgeekblog.com/blog/archive/2007/12...

matl1990

YES!!!!!!!!!!!!!!!YES!!!YYEESSSSS!!!!!!!!OMG! thank you. ive been waiting for this for a long time. ill give my life for u to unlock my otb 1.1.2 iphone. please pple. im begging u

Martin

I also will donate 25€ then, to the dev team.

R

I will donate 50 EUR if this is happening before christmas!

thx for all the genius work of these guys!

Tim

Or weeks (I hope day's).

Tim

How many day's (from now).Do you think they (the hackers) need to software unlock the new bootloader 4.6, without apple their new update. So we can unlock our iphone's without waiting for apple's new update. So we can begin making calls.