Current App Pack hacking & Jailbreaking summary

Discussion in 'iPod touch 1.1.3 Jailbreak' started by Romanko, Jan 18, 2008.

  1. Romanko

    Romanko New Member

    Joined:
    Jan 16, 2008
    Messages:
    34
    Likes Received:
    0
    There is my small summary on App Pack hacking & Jailbreaking.

    =====

    Myths busting

    Please Register or Log in to view images



    - Root partition can be accessed with 3d party tools (e.g., Total Commander, iphonelist)

    That's impossible. All those tools uses com.apple.afc service which allows to access only /var/mobile/Media/ folder. It's visible as root for that tools.
    To access root, you have to update fstab file (which holds settings for mounting partitions). To do this, you have to decrypt / get encryption key for firmware image. Since 1.1.2 has been released, nobody got that key. This work requires a lot of experience.

    - I guess I can manage how to run SSH etc., if I put them onto iPod's Media folder.

    That's impossible. There is no tool to run remote application on iPod from PC / Mac. Also, iPod knows ONLY about applications placed inside its /Applications folder. To make application appear on the Sprinboard some preferences must be altered. There is no access to preferences files (instead that ones backed up with iTunes).

    - I can sync "stolen" App Pack from iTunes

    BS. iTunes uses DRM to verify if this upgrade was really purchased by you. You will only get the alert, which will told you to authorize your computer. There is still no way to cheat with DRM.

    - I think if I shift/option + click Update button at iTunes and choose App Pack to update, I will get this upgrade installed.

    BS again. This will damage your firmware and you will have to restore an iPod.

    =====

    Now good news

    Please Register or Log in to view images



    So what do we have?

    iPod touch App Pack blah-blah-blah.ipa is the ZIP archive. It has 4 files inside:

    - Manifest.plist, which holds information about upgrade. Such as DRM, security digest, path to executable (I guess it's fake for iPod touch)
    - Manifest.plist.p7b is the security certificate. It's kind of public key to verify if Manifest.plist is correct and it's not modified. Forget about hacking Manifest.plist.p7b, you must have public/private key pairs and exact Apple certificate information to create fake one.
    - nikita_receipt.plist is that one executable file, according to Manifest.plist
    - nikita_receipt.plist.sirf holds DRM data. Do you remember that there is no way to hack it yet?

    Upgrade package unlocks additional applications. As you may know, 1.1.3 already contains them. Additional applications are hidden, until you purchase January Upgrade.

    There are 2 near-to-success concepts on how to install upgrade:
    - using iPHUC
    - patching iPod backups

    Upgrade using iPHUC
    --------------------------

    According to reverse engineered iTunesMobileDevice.dll (it comes with iTunes and implements communication protocol between iTunes and iPod/iPhone), App Pack must be uploaded to iPod and stored as /var/mobile/Media/Nikita/nikita.zip (it will looks like /Nikita/nikita.zip if you access iPod with Total Commander or iPHUC).

    After this special service must be launched at iPod. It is called com.apple.mobile.nikita_install. This service takes care about upgrade installation. If you try to give 'startservice com.apple.mobile.nikita_install' to iPHUC (it must be run with -d options in debug mode) you will see that positive integer is returned. This will be the handle of the service. This means that service was started successfully. It's sad, but nothing happens at this point...

    This method is still under research. There is no positive confirmed installs yet.

    UPD. it seems that Apple updated sync/restore protocol in iTunes 7.6 and 1.1.3. Current iPHUC tool is a bit outdated for new protocol.

    Patching iPod backups
    ---------------------------

    iPod backup contains preferences for the Springboard and so on. App Pack exists on your iPod with 1.1.3 firmware already. It's just disabled. the idea is to alter preferences to bring hidden applications back to the Home. Some people was able to bring WebClips to the Springboard with this method. This is the first success. Currently there is no complete hack released yet. It will be nice if somebody, who has 1.1.3 and App Pack upgrade, will share his backup files for research.

    You have to perform the following step:

    1. Run iTunes and disable music, video, photos, contacts etc. synchronization. Hit Apple and Sync.
    2. Unplug iPod, go to iTunes preferences and remove any backups (the Sync tab)
    3. Hold iPod power + home buttons together for a 20-30 second, until you see iTunes and iPod connector icon. This means that your iPod is in the recovery mode.
    4. Plug it back to iTunes. It will inform you that your iPod must be restored. Click Restore and Update button. Wait for the end of the process.
    5. After restore you will be prompted to the iPod name. Give it like "iPod" (without quotes)
    6. Sync iPod (don't enable anything from media, contacts etc. to sync in iTunes). Make sure you have App Pack installed. This is important!
    7. Look for the fresh backup. If there is no one, unplug your iPod, do minor changes to its preferences, plug it back and Sync. Backup files must be created at this point.
    8. Zip them and upload somewhere/attach to this thread/PM me so anybody who want to take a part in hacking could have a fresh cope of backups for researching.

    Freshly restored iPod without content does not have any critical personal information. It's safe to share backups.

    Backups on Windows are located at this path: "C:\Documents and Settings\<your account>\Application Data\Apple Computer\MobileSync\Backup\". "Documents and Settings" directory is hidden at Windows.

    At Mac, backups reside in ~/Library/Application Support/MobileSync/Backup/ folder.

    This step also can be repeated with another iPod and both backups can be checked for differences. Thus we will know what App Pack upgrade changes in settings.

    Happy hacking

    Please Register or Log in to view images

  2. x6blues

    x6blues New Member

    Joined:
    Dec 13, 2007
    Messages:
    2,879
    Likes Received:
    113
    very nice, this should be stickied. it could stop all the "1.1.3 app" questions, very helpful. hopefully this can be hacked soon though

    Please Register or Log in to view images

  3. kappatango

    kappatango New Member

    Joined:
    Jan 2, 2008
    Messages:
    998
    Likes Received:
    6
    That is an Awesome post man.

    Well written, informative and precise.

    Great post. Kudos.
  4. RedrumsSam

    RedrumsSam Member

    Joined:
    Oct 1, 2007
    Messages:
    622
    Likes Received:
    1
    Device:
    iPhone 4S (Black)
    Very nice. People are starting to break down the processes so that those of us who aren't too sure about the technical stuff are getting an understanding of how the jailbreak works. Thanks.
  5. darc10222

    darc10222 Banned

    Joined:
    Dec 24, 2007
    Messages:
    749
    Likes Received:
    0
    Great post, might stop some of the useless threads filling up this section.
  6. bodi_dillon

    bodi_dillon New Member

    Joined:
    Jan 9, 2008
    Messages:
    172
    Likes Received:
    0
    once once we go to "C:\Documents and Settings\<your account>\Application Data\Apple Computer\MobileSync\Backup\" and go into that folder than wat do we do post u wats in that folder? im not sure i understand
  7. letranger

    letranger New Member

    Joined:
    Jan 17, 2008
    Messages:
    5
    Likes Received:
    0
    cool

    thx for your postin...

    Please Register or Log in to view images

  8. Romanko

    Romanko New Member

    Joined:
    Jan 16, 2008
    Messages:
    34
    Likes Received:
    0
    Yes, zip everything inside and make it available to public: attach to this thread with a new post or PM me (or anybody who wish to take a part in research) or upload it somewhere and provide a link etc.
  9. Romanko

    Romanko New Member

    Joined:
    Jan 16, 2008
    Messages:
    34
    Likes Received:
    0
    10x, I hope this will be useful
  10. johnInSJ

    johnInSJ Member

    Joined:
    Dec 15, 2007
    Messages:
    551
    Likes Received:
    9
    Device:
    iPhone 4 (Black)
    Anyone else find it funny that the name they chose for the directory where files move from the untrusted domain (ie, outside) to the trusted domain (inside) is named after one of the most feared leaders of the Cold War era Soviet Union, Nikita Khrushchev?

    Or is just us old timers that find that funny.http://en.wikipedia.org/wiki/Nikita_Khrushchev

    Cold war indeed. This was the guy, along with Kennedy, that got us the closest thus far in the nuclear age to all out nuclear war.

    Apple, it seems, is not without a sense of irony.

Share This Page