Vonage has promised to release an official iPhone app to compete with other providers such as Skype, and it is currently working its way through Apple’s well documented approval process. Unfortunately, this app would most likely come with an initial cost and/or subscription fee, though a way has been figured out to retrieve Vonage’s SIP authentication information, which would allow use of the Vonage network over other iPhone SIP Clients such as Fring. This solution does still contain the Wi-Fi only clause, but we have ways of making you talk, iPhone. This could also possibly be used on other platforms with SIP clients such as Android or WinMo.
Thursday, September 10, 2009
Vonage on iPhone
Vonage has promised to release an official iPhone app to compete with other providers such as Skype, and it is currently working its way through Apple’s well documented approval process. Unfortunately, this app would most likely come with an initial cost and/or subscription fee, though a way has been figured out to retrieve Vonage’s SIP authentication information, which would allow use of the Vonage network over other iPhone SIP Clients such as Fring. This solution does still contain the Wi-Fi only clause, but we have ways of making you talk, iPhone. This could also possibly be used on other platforms with SIP clients such as Android or WinMo.
Wednesday, June 3, 2009
New PSP leaked
Engadget has video from the June 2009 episode of Qore that shows the new PSP Go. It has a slide out gamepad, 16GB internal storage, bluetooth, and a memory slot of some sort. We’re naturally curious about its potential as a homebrew platform. Will Sony take the mature route they did with the PS3 and let you run Linux or will they continue the firmware arms race the PSP is known for? We’ll be hearing more about this platform at E3 next week.
Thursday, May 7, 2009
APRS tracking
We really wish we had a little more information on the construction of this, but [Jeff] made this APRS tracker several years ago. APRS, or Automatic Packet Reporting System is a system where shortwave radios put out small packets of data that are uploaded to a database available via the web. This specific one is relaying GPS data so his family can see where they are located. With current phones, you might think this is antiquated, but he notes that he took this through New Mexico and was able to transmit his position even when there was zero cell phone coverage.
Friday, March 13, 2009
25C3: Hacking the iPhone
As promised in their yellowsnow demo, [pytey], [MuscleNerd], and [planetbeing] from the iphone-dev team presented at 25C3 on their work Hacking the iPhone. The team originally formed in 2007 and this is the most comprehensive presentation on how the iPhone was compromised to date. You can find the full talk embedded above.
They opened with a few stats about how popular their software is. Our favorite by far is that at least 180 people with Apple corporate IPs update their phones using the dev-team’s software on a regular basis. From there the talk was split into two sections: jailbreaking the S5L application processor and unlocking the S-Gold baseband processor.
The phone relies on a chain of trust to guarantee that only Apple’s code is being run on it. All of userland is signature checked by the kernel. The kernel is checked when loaded by iboot. The iboot image is checked when loaded by LLB. LLB is loaded from the NOR by the lowest piece of code, the bootrom. That’s where things fall apart; the bootrom does not check the signature of the LLB. To take advantage of this, the team found what they describe as a classic stack buffer overflow in DFU mode. DFU is Device Firmware Upgrade mode, a state that the phone can be forced into after the bootrom loads. Their exploit forces the certificate check to return ‘true’. They are then able to patch all of the subsequent signature checks out of the phone’s system.
The baseband processor proved to be much more difficult simply because it doesn’t have any sort of recovery mode; bricking a phone was always a possibility. The S-Gold is a complete system-on-chip and has a unique ID on each phone. The NOR also has a unique ID on each phone. These two IDs are used to sign the secpack, which in turn enforces the SIM carrier lock. These unique IDs are why you can’t just take an officially unlocked phone and copy the secpack off of it to unlock another phone. Everything else is identical: the firmware, the baseband, the bootroom are all the same. On the second generation iPhone, the bootrom checks the bootloader. The bootloader then verifies the bootrom before checking and then loading the firmware. The firmware enforces the carrier lock. The team decided that it wasn’t worth attempting to break the chain of trust. The SIM unlock code they developed is divided into two sections. The first part is the actual software unlock. They patch the firmware while it’s running in RAM. Their patch modifies the firmware’s decision tree about whether to enforce the carrier lock. The second half is the exploit that allows them to inject the code. The team knows that Apple can and probably will patch the exploit hole, but their RAM patching code will always work, so it’s just a matter of finding another hole to apply it through. In order to do a permanent unlock solution (like on the first generation iPhone), they’d need to analyze the actual bootrom code.
The team mentioned several things Apple did that actually helped them in their efforts. Security was gradually rolled out, so they were able to look at things that would eventually be hidden. The firmware was initially unencrypted. Earlier versions trusted iTunes, something they could easily modify. All userland apps originally ran as root meaning any application exploit gave root level access.
The iphone-dev team has truly put in a tremendous amount of effort and we look forward to the yellowsn0w release on New Year’s Eve.
Wednesday, March 11, 2009
iPod Touch 2G jailbreak released
The iPod Touch 2G jailbreak was first shown in January. It had to be applied every time the iPod was booted. The iphone-dev team just released the 24kpwn LLB patch to allow for a persistent jailbreak. The team had been hanging on to this patch because there was the possibility the exploit could be used on future iPhone versions. Unfortunately, a group started selling the code, so the team was forced to release it for free. iPod owners are certainly happy though. There is a tutorial available for updating a factory reset iPod (backup link). The team will include the patch in future official tools.
UPDATE: [cptfalcon] pointed out a post that covers the technical details of the exploit.
Sunday, March 8, 2009
New battery for an HP50G
According to the author, the HP 50G is an awesome calculator. But as awesome as it is, it is powered off of not-so-awesome AAA batteries. These little batteries don’t last long under the load of the calculators awesomeness, so a mod needed to be done. The battery chosen for installation was a replacement battery for a Sony PSP. He was able to find one, including the external charge regulator board for $10. Dropping it into the case and wiring it to charge off of the existing mini USB port looks fairly simple, very few actual modifications are necessary to the body. Unfortunately, they did end up with an LED protruding from the bottom that makes it wobble a bit, but they’re guessing that they get about 2x the battery life now.
Thursday, March 5, 2009
iPhone Linux
iPhone Linux Demonstration Video from planetbeing on Vimeo.
Embedded above is a demo video of an iPhone running a Linux 2.6 kernel. The iphone-dev team has created a new bootloader called OpeniBoot. The bootloader lets you boot into a Linux console, which you can talk to over a USB serial device. They’ve got busybox working, but there is no touchscreen support yet. The instructions are not that difficult and include how to back up your settings. It works on first and second gen iPhones and first gen iPod Touch. This is a very early port, but the future is wide open… Android iPhone?
iPhone 3G unlock video
To appease people waiting for the iPhone 3G unlock, iphone-dev team member [MuscleNerd] did a live video demo this afternoon. The video shows him removing the AT&T SIM and putting in a T-Mobile SIM. After the switch, the phone shows no connectivity. He then runs “yellosn0w” in an SSH session with the phone. The phone then unlocks without needing to be rebooted and the signal bars appear. The final test shows the phone receiving a call. The target for this release is New Year’s Eve and it doesn’t support the most recent baseband. Well be attending the 25C3 talk hosted by [MuscleNerd] and other team members. The VNC screen you see in the video is thanks to [saurik]’s Veency.
Cell phone shoe
Sometimes you absolutely need to keep your phone a secret. You know, like when you’re on spy missions. The goons at the door will always frisk you, but they never check under your shoe, right? [mikeyberman] shows us how to make our own Maxwell Smart style shoe phone. All you need is to dig a giant hole in your shoe sole and cram a cell phone in there. Will it get ruined by water? Probably. Will you look like a goon trying to talk on it? Definitely. Can you make it through airport security? Try it and let us know.
X11 on Android
Many G1/ADP1 owners have been using the app Tetherbot to get internet access on their laptop via USB to the phone’s data connection. The app relied on the Android Debug Bridge to forward ports. It worked, but people wanted a solution better than a SOCKS proxy. The community figured out a way to create a properly NAT’d connection using iptables and then [moussam] rolled them up into easy to use applications. There’s one for setting up a PAN device on Bluetooth and another for adhoc WiFi networking. It requires you to have root on your phone, but hopefully you’ve achieved that and are already running the latest community firmware.
Wednesday, March 4, 2009
Tiny projector teardown
The team from Tech-On has taken the time to teardown two interesting microprojectors. The first model they tackled was the Optoma PK101. It’s based around a digital micromirror device (DMD) like those used in DLP. Separate high intensity red, green, and blue LEDs provide the light source. A fly-eye style lens reduces variations between images. They noted that both the LEDs and processors were tied directly to the chassis to dissipate heat. The next projector was the 3M Co MPro110. It uses Liquid Crystal on Silicon (LCoS) technology. The light source is a single bright white LED. The projector seems to have more provisions for getting rid of heat than the previous one. The most interesting part was the resin polarizing beam splitter. It not only reflected specific polarizations, but also adjust the aspect ratio.
25C3: Nokia exploit stops all inbound SMS
[Tobias Engel] released a serious Nokia vulnerability today. By using a specially crafted SMS message, you can block the recipient from getting any future SMS messages. The attacker changes their Protocol Identifier to “Internet Electronic Mail” and then uses any email address 32 characters or more in their message. The recipient will receive no indication that they got the message and no other messages will be allowed until the phone is factory reset. You can see a demo video here. This affects many different varieties of S60 phones and no fix is known.
iPhone 3G unlock released
As promised, the iphone-dev team has released yellowsn0w. You can install/uninstall via Cydia. It works fine with the latest firmware too. This sentence is filler.
Multitouch patched into Android
[Luke Hutchison] has come up with a rather clever hack to get multitouch support on the G1. He wrote a patch against the Synaptics touchscreen driver. When two fingers are placed, the driver reports the x/y of the midpoint and a radius for the size field. If only one finger is used, the size is reported as zero. The nice thing about this approach is that it’s backwards compatible; the extra data will be ignored by current apps. Unfortunately, Google’s Android team says that if multitouch is ever added, it would identify individual fingers and definitely not using this method.
Debian on the G1 once again
[ghostwalker] dropped in on our previous Debian Android post to let us know that he had streamlined the install process. The first time around, it quickly became difficult to complete the process because firmware updates had taken away root access. Hackers have since figured out how to downgrade from RC30 and install BusyBox. All you need to do to put Debian on your phone is download the package from [ghostwalker] and then run the installer script. This isn’t technically a port since Debian already has ARM EABI support. What would you run on your phone if you had access to the entire Debian package tree? A video of Debian starting up is embedded below.
Forknife, Android G1 controlled robot
When we first saw [Jeffrey Nelson]’s G1 based robot we immediately wondered what the transport for the controls was. The G1’s hardware supports USB On-The-Go, but it’s not implemented in Android yet. It turns out he’s actually sending commands by using DTMF tones through the headphone adapter. The audio jack is connected to a DTMF decoder that sends signals to the bot’s Arduino. He wrote client/server code in Java to issue commands to the robot. You can find that code plus a simple schematic on his site. A video of the bot is embedded below.
WiFi and Bluetooth tethering on Android
Many G1/ADP1 owners have been using the app Tetherbot to get internet access on their laptop via USB to the phone’s data connection. The app relied on the Android Debug Bridge to forward ports. It worked, but people wanted a solution better than a SOCKS proxy. The community figured out a way to create a properly NAT’d connection using iptables and then [moussam] rolled them up into easy to use applications. There’s one for setting up a PAN device on Bluetooth and another for adhoc WiFi networking. It requires you to have root on your phone, but hopefully you’ve achieved that and are already running the latest community firmware.
Cell phone shoe
Sometimes you absolutely need to keep your phone a secret. You know, like when you’re on spy missions. The goons at the door will always frisk you, but they never check under your shoe, right? [mikeyberman] shows us how to make our own Maxwell Smart style shoe phone. All you need is to dig a giant hole in your shoe sole and cram a cell phone in there. Will it get ruined by water? Probably. Will you look like a goon trying to talk on it? Definitely. Can you make it through airport security? Try it and let us know.
Cell phone triggered fireworks
[Mr. Hasselhoff] is using a disposable cell phone to trigger his fireworks. He has wired into the speaker leads for the speaker phone. When the phone rings, the current sets off a thyristor allowing for a battery pack to be discharged into a rocket fuse. These fuses heat up and ignite, so you can use them to light fireworks fuses pretty easily. This is pretty simple and cheap, considering the price of the cell phone was only $10. His next idea was to have it recognize dial tones and set individual fuses off, but that would require a microcontroller and a much more complex hack. At that point, you might as well just build a fully fledged wireless fireworks launching system and possibly add rocket launching abilities too.
X11 on android
[ghostwalker] has put together instructions for running X11 on your Android device. This means you can run a full-blown Linux desktop environment on your phone. It requires you to already have a Debian shell on the phone, which we covered earlier. Instead of having to come up with a custom display driver, it’s hooked to a VNC server. You can connect to it using an Android VNC viewer on the phone or via any other VNC client. The how-to suggests either IceWM or the even lighter-weight LXDE for a window manager. You could potentially install Gnome or KDE, but we’d be surprised if it was any faster than dog slow. Let us know if you have any success with this and what you think the best use is.