iPhone Root Password Hacked in Three Days

unPlugged-2.0 writes "An Australian developer blog writes that the iPhone root password has already been cracked. The story outlines the procedure but doesn't give the actual password. According to the story: 'The information came from an an official Apple iPhone restore image. The archive contains two .dmg disk images: a password encrypted system image and an unencrypted user image. By delving into the unencrypted image inquisitive hackers were able to discover that all iPhones ship with predefined passwords to the accounts 'mobile' and 'root', the last of which being the name of the privileged administration account on UNIX based systems.' Though interesting, it doesn't seem as though the password is good for anything. The article theorizes it may be left over from development work, or could have been included to create a 'false trail' for hackers."

Re:Prediction...

[Aladrin]

"dissuade interested people from possibly buying an iPhone"

What? This wouldn't have that effect at all. It would have the -opposite- effect. Those who had not planned to purchase may think they could mod it like a ps2 and poof, instant super-phone.

Yes, we aren't quite there... But I have little doubt we'll get there pretty quickly.

Now if they manage to unlock it -and- provide access to run any app I compile, I would be very interested.

I'm still amazed that...

[Anonymous Coward]

we read a story about a password to a user account on a phone and don't find that odd at all.

Re:Prediction...

[Drizzt Do'Urden]

IIRC, if the iPhone uses NetInfo like MacOS X does on Macs, that password might be usefull only in single user mode.

Re:Prediction...

[Anonymous Coward]

Well, Symbian 'viruses' require you to manually allow the installation three times, and some
people believe it's insecure. Even if you could reflash your iPhone with your own firmware
(unlikely without dedicated hardware) what's to stop unofficial ROMs being made available on
the net that contain trojan horses etc, boasting to have some cool new app? All it takes is
one stupid user to download it and have his phonebook copied to Russia, call premium rate
lines without his knowledge etc.

Being spammed on your phone is going to be far more irritating than email spam and, with North
American users paying to receive calls and texts (ha ha ha), will cost big bucks.

Re:Not that big a deal

[spotter]

you don't go after breaking the password, you go after finding where apple stored it. If it's encrypted, the iphone has to be able to decrypt it, therefore has to have the password available.

see how the original xbox hacker (whose name I forget) captured it's encryption key by "simply" (yeah, not that simple) monitoring the bus.

Passwords on my device

[nurb432]

Shouldn't be hidden from me anyway, its MY phone, i bought it, its MINE.. If i want to do something stupid and brick it in the process, its my choice. ( as long as i don't go and cry to Apple for a free replacement )

Custom software

[suv4x4]

Yes, probably this is the default phone password which the phone uses to "autologin" into itself on startup, and as such isn't useful for "hacking" into the phone remotely.

But you should consider: a) the phone doesn't support custom software b) thousands of geeks who bought the phone want to write apps for it.

Maybe knowing the root login is a tiny step in that direction, if you get what I mean. I have the feeling we'll be seeing AT&T disabling remotely phones that have been hacked with custom apps. Same as MS did with modded XBOX360.

Re:Not that big a deal

[0xdeadbeef]

I think a lot of people criticising the iPhone at the moment still haven't made the leap from "this is a phone. It does X,Y,Z" to "this is a fully-fledged computer, masquerading as a phone" - with all that that implies.

Then you understand nothing. The iPhone critics are thinking "this is a fully-fledged handheld computer, running the same operating system as my laptop, that has been intentionally crippled to protect the artificial market segmentation desired by AT&T and Apple."

Re:root disabled?

[tgatliff]

I would be impressed if korn is running on any stty, as there really should be no need for running a shell on a production unit. I am not going to believe this "trying to throw off" business, though... That USB interface is just way too handy to not do terminal interfacing during development/testing... The trick is understanding how they were interfacing to it, though. I strongly suspect that it is just a matter of time before someone invests the time to figure it out...

In my opinion, the biggest news here is not as how it was reported, but rather that people now can easily modify the default image and try booting it on the iPhone...

I'm wondering if it's intentional

[jmichaelg]

I'm wondering if perhaps Apple wants the phone cracked. AT&T doesn't control activation, Apple does. If the phone is cracked then people could buy an iPhone and if another carrier was willing, activate it with some other carrier than AT&T. There are lots of people out there who can't stand AT&T so it's not as if we're only talking about 2 or 3 hackers doing this.

Jobs could play the innocent claiming that hackers did it all the while happy that yet another iPhone went out the door.

they've never done it for iPods...

[SuperBanana]

Apple have said they intend to provide updates, changes, additions, etc. to the iPhone over time. They have a policy of supporting older computers with new OS releases, and I don't see why they wouldn't migrate this approach to their new market.

Except they don't do it for iPods. Each new "generation" of the iPod has run a different firmware *and* had different capabilities, like being able to search. The older iPods never got the functionality of the newer ones, ever. Clickwheel iPods can't "search", nor do they get the newer iPod games, etc. This is just like digital camera manufacturers, home network gear makers, etc. Very, very, very rarely do they take advantage of the firmware updates to increase functionality in any way. Why should they, when they can make you but version N+1?

Most of the time they update the iPod firmware only to give it compatibility with the latest iTunes, and these days, the only updates to iTunes are security fixes and bloat (the glorified pedometer, Apple TV, the iPhone, etc. Anyone else remember when you could sync contacts and appointments onto your iPod through iSync?) My second-gen nano (or Mini, or whatever the hell it's called these days) still crashes 50% of the time when I go to play a podcast after syncing it with my mac. I'm not holding my breath waiting for them to fix it.

Emulation/Virtualization

[CompMD]

So since the firmware restore image is out in the open, is it possible to emulate an ARM CPU in QEMU and boot the image? That would be interesting to find out.

hmm... GPL?

[Woody]

grab the restore image [edgesuite.net], append a .zip, unzip it.

strings 694-5259-38.dmg | grep -i gpl
...
(www.memtest86.com). At the time of writing it is free (GPLd).

yes, it's just memtest, yes we can get it on our own... but apple, where's the modified source?

there are many more interesting(?) things you can glean from running strings on the non-encrypted but non-functioning (for me) disk image.

Re:Prediction...

[kestasjk]

The iPhone is also quite obviously very expensive. Price is a key factor in deciding whether or not a product a worthwhile purchase. It may have superior features, but it's pretty close to a middle-of-the-road product in terms of value. It's not so unreasonable to say that it might be pretty good, but in order to be a good value for its price, it needs to be even better (or cheaper).

At $499/$599 it should really be more of a PDA than a phone (though the line is blurred these days and will continue to blur). I'd consider $499 for a 2007 Apple Newton, but not a phone.

By the way do we know yet why they don't let developers run their own apps on the iPhone? It seems that this would make it into something PDA-like very easily. Is it a choice by Apple or was it forced on them?

Just mount the stinkin' file system already...

[Anonymous Coward]

http://voidmain.is-a-geek.net/forums/viewtopic.php ?p=14612#14612 [is-a-geek.net]

I'm sure someone else has probably figured this out by now but it's pretty easy to mount the firmware image under linux. First get yourself a copy of the firmware from the Apple site and then:

Code:

$ unzip iPhone1,1_1.0_1A543a_Restore.ipsw
$ dd if=694-5259-38.dmg bs=2048 skip=1 of=/tmp/iphone.img
# mount /tmp/iphone.img /mnt -o loop

Then:

Code:

$ ls -l /mnt
total 4
drwxr-xr-x 1 root root 9 2007-06-26 20:40 bin
drwxr-xr-x 1 root root 2 2007-05-22 22:54 dev
lrwxr-xr-x 1 root 80 11 2007-06-26 20:40 etc -> private/etc
drwxr-xr-x 1 root root 2 2007-05-22 18:05 mnt1
drwxr-xr-x 1 root root 2 2007-05-22 18:05 mnt2
drwxr-xr-x 1 root root 3 2007-06-19 17:42 private
drwxr-xr-x 1 root root 8 2007-06-26 20:40 sbin
drwxr-xr-x 1 root root 4 2007-06-26 20:40 System
drwxr-xr-x 1 root root 7 2007-06-26 20:40 usr

Re:hmm... GPL?

[Woody]

Maybe because I was walking out of work to enjoy a nice day off tomorrow and managed to see this story before grabbing the file and doing a quick strings/grep for GPL? Way to ascribe malice there, though. Thanks a ton - hope that attitude works out for you.

Mea culpa, but no need to be a jerk.