Saturday, June 5, 2010

Latest progress and new updates.

Well, it's been a few months since my last blog post. Since then the iPad has been jailbroken and 3.1.3 untethered jailbreak has been released (a few days later than I had predicted but the delay was for a good reason). Also, within this time, I've been hard at work developing quite a few new tools for the community (since I still don't have a real job to occupy my time), and I've already released a number of them. A few of them include:
  • idevicerestore: A new tool capable of restoring IPSWs to devices without the help of iTunes. Also capable of doing other neat stuff such as upgrading stock firmware without flashing nor (to preserve jailbreaks) or baseband (to preserve unlocks).
  • ideviceactivate: A new utility to designed to activate devices without the help of iTunes. Hopefully soon this will even allow users to activate unlocked devices, or devices without an official AT&T SIM.
  • spirit-linux: An open source version of the Spirit jailbreak for the Linux platform (and possibly soon others).
  • libirecovery: A library to help developers communicating with iBoot, iBSS, iBEC and DFU, as well as a brand new, completely rewritten, and MUCH improved irecovery.
Also, we've begun publishing the source for some of our greenpois0n components to help new developers start learning and building their very own jailbreak programs. Each one of these components is named after a different poison and all are available under the GNU Public License on our Chronic-Dev Github Repositories.
  • GreenPois0n Cyanide: Is a cross-platform iBoot payload toolkit to help developers discover new vulnerabilities and design super fast, low-level iBoot jailbreaks and exploit payloads, much like the way blackra1n/purplera1n works.
  • GreenPois0n Anthrax: Is a cross-platform iPhone ramdisk toolkit to help developers design extremely stable and portable ramdisk jailbreaks, much like the same way quickpwn/redsn0w works.
  • GreenPois0n Dioxin: Is cross-platform MobileDevice toolkit designed to help developers design awesome userlevel jailbreaks, much the same way spirit jailbreak works.
  • GreenPois0n Arsenic: new, cross-platform custom firmware toolkit to help developers design jailbreaks to help preserve baseband and keep unlocks, much in the same way PwnageTool/Sn0wBreeze works.
Along with all that, I also have a long-overdue, updated, and improved version of genpass, which is used to generate vfdecrypt keys to decrypt iPhone filesystems. This I plan on posting as soon as 4.0 leaves beta. Still, there's a whole lot to look forward to in the near future. The new iPhone4g is rumored to be announced in only a few days. Hopefully, soon after the iPhone4g is released, we'll finally get the new unlock, discovered by Sherif Hashim and implemented by iPhone Dev Team (and/or geohot), a new untethered iBoot vulnerability (the one I talked about in my last post) which was discovered by both geohot and Chronic-Dev Team, and even, (possibly, the holy grail of exploits), a brand new bootrom code execution vulnerability discovered by myself personally (and probably geohot too of course).

That's a LOT of work done in such a short amount of time, but we honestly couldn't have done it without the amazing help and support of this wonderful community. Now, I'm calling on you again to help us out. Help keep us up-to-date with the latest apple devices. Since the new iPhone4g is planned to be announced very soon, I'm starting my new iPhone4g donations fund. We hackers are all kids at heart and need new toys to help keep us motivated and interested in developing new exploits and tools to keep the community happy and supplied. Also, since many of you will be upgrading to the new iPhone4g soon, I want to point out that many of us hackers are still struggling to work with old iPhone2g and iPod1g devices, so even just donations of old or broken devices is a priceless gift to us. I'm confident you will all rise to the occasion and lend us a hand so we can continue to pursue our research and development efforts. Thank you all for all your loving support in the past and your continued effort to help make this one of the largest and most diverse communities on the planet.

Saturday, April 10, 2010


        Let me start off by saying that these have been some of the wildest and craziest months I could possibly imagine. So many new things have happened; I'm really not sure where to begin. But I think I'll start by clearing up a couple of common questions and misunderstandings.

        The one question I get asked the most (other than “when are you going to release?”) is “what is greenpois0n?” Put simply, greenpois0n is a toolkit designed to help discover and exploit new vulnerabilities. Let me repeat that, greenpois0n itself is NOT an exploit. Most exploits typically have much more boring and technical names, such as “iBoot Environment Variable Overflow” or “usb_control_msg(0x21, 2)”. Tools, on the other hand, are typically given more creative names, like redsn0w, blackra1n, or greenpois0n. Even though most of these tools use the same exploits, each one has its own unique strengths and weaknesses. Redsn0w was designed to be robust and low maintenance by using Apple's own NOR flashing routines, whereas blackra1n was designed to be small, fast, and have a low memory footprint. While both these tools are excellent pieces of software, neither had the flexibility nor advanced capabilities that we were really looking for. Thus greenpois0n was born.

        While we do have a GUI designed to allow users to perform a simple jailbreaking, the true power is hidden away in our advanced exploit payload. Once injected into iBoot, greenpois0n inserts many new and powerful commands allowing you to do everything from accessing the AES engine to decrypt firmware keys, hook and call into existing iBoot functions, read and write to blockdevices, including the filesystem (although filesystem is read only right now), and even set breakpoints within iBoot to dump registers and stack information during runtime.

        So what about the exploit I mentioned in the last post? It's still there, and turns out it's the exact same exploit Geohot demonstrated in his iPod Touch 3g video a few weeks ago, but since that time, there have been quite a few new developments. By now, I'm sure everyone has seen or heard about the userland “spirit” exploit demonstrated by Comex, and which was used to jailbreak the first iPad. This exploit is by far one of the most impressive pieces of work I think this community has seen in quite some time. The only problem with this method of jailbreaking is it can be easily patched by Apple in the next firmware update. Also, since the exploit being used resides in userland, you're denied access to many of the low level hardware features, including the ability to decrypt firmware keys. iBoot exploits, on the other hand, are much lower level and offer much more freedom to interact directly with the system unrestricted. With the exploit being so much more powerful, we've decided it would be wiser to release the “spirit” exploit first and hold onto the iBoot exploit until the next hardware revision.

        Soon after this decision, I quickly set to work porting “spirit” to run on Linux and adding these capabilities into greenpois0n. At the same time, Comex, a number of members from iPhone Dev Team, and Chronic-Dev Team helped by fixing many possible snags and getting Cydia prepared to run on the iPad. It was truly an epic display of cooperation by everyone involved. Everything was progressing smoothly until yesterday. The boy-wonder Geohot threw a wrench in our gears once again after discovering a NEW exploit that pretty much blows everything we've got out of the water. So now we're forced to reconsider our release plans once again. As of today (I can't speak for tomorrow, for all I know everything could change again), both the original exploit I posted about earlier and the new “spirit” exploit are probably going to be held off for a little bit longer to avoid being patched by Apple. Also, today I mentioned on my twitter that I can almost guarantee an exploit for 3.1.3/3.2 (all devices, and all models!) before the end of the month. I would strongly advise everyone to keep a close eye on Geohot's blog for updates in the near future. And if you haven't already, PLEASE backup your SHSHs with either firmware umbrella or using Saurik method.

        To all the people asking about an unlock, you're probably going to be waiting until the next iPhone is released. Since it hasn't even been announced yet, there's no telling how long the wait is going to be.

Thursday, March 18, 2010

Crazy Confusion

Ok, I think it's time to clear up a few rumors that have been circulating!! Some people have been calling chronic-dev/greenposi0n fake and about how this is just a way to take everyone's money, or that we're just going to burn an exploit for 3.1.3. The facts are, we've always practiced safe disclose of the bugs we've found.

The 24kpwn vuln we found was already held onto for a few months before it leaked. We were planning to hold off until the 3gs was released, but we were forced to release early because someone had gotten a hold of it and was selling it online.

As for as the latest usb exploit, it's practically the same story. We found the exploit months prior and were waiting for the release of the ipod touch 3g. Sadly, progress on that was horribly slow because only one member of the team actually had access to a device, and he was very busy dealing with real world stuff at the time. This is the reason I started the first donation fund. When I received the device I was also the first to dump the keys from the device less then a week later, which (I'm assuming) is what helped geohot be able to run his first bits of code to develop blackra1n and then he released it shortly after. This pretty much made greenpois0n obsolete at that time.

Now it's the same story again. I will say we do have at least one new exploit that we've been sitting on for the past few months waiting specifically for the ipad, (NOT 3.1.3) but I'm not going to say anything more about it, other then, yes it's untethered.

As far as greenpois0n is concerned, it's been a long grueling 7 months since we first announced we were developing it. Unfortunately, not all of our members at chronic-dev are seasoned developers, and the few that are can only help sporadically in-between school and work. Since I probably had the most programming experience and free time, I took charge of the project and have sunk literally hundred and hundred of hours into development. From the first version written in 100% ARM assembly (the most fun I ever have had while not having any fun at all), down to the latest version, a beautiful iboot hacker toolkit and payload framework, work on greenpois0n has never stopped (although there were many months where I was the only person contributing).

I guess what I'm trying to say is, with all my time, sweat, blood, and tears (and adderall) that i've invested into this product, it really irks me when I see people calling it fake. And far as the donation thing is concerned, this something I really really hate doing. If I had a job and the money I would of never ever considered asking for any donations, and I was still reluctant to. The only reason I finally decided to post the chipin is because many people (including some of the devs who make all your beloved jailbreak apps) encouraged me to start this fund. They believed in me and were the first to donate. I'm not trying to force anyone to donate, take advantage of anyone, or holding anything for ransom. I'm just looking for some help to allow me to continue my research fulltime (which ultimately helps all of you in the end). I thank all the people who have already donated. But if you're still a skeptic, then that's fine too. (because you're probably the same ones that will come crying when you accidently upgrade your ipad, and then I get to laugh at you)

here's the link if anyone missed it