iPhone Jailbreaking: The Landscape Shifts Again

I didn’t expect to be writing another column about iPhone jailbreaking so soon after my previous one. I figured it would be at least six months before the status of jailbreaking had changed enough to warrant another look.

I was wrong. In the past few weeks, there have been several significant shifts in the jailbreaking landscape. Significant enough that I felt obligated to post this status update. 

Good news. First, there’s some good news. At least it’s good for those interested in jailbreaking their iPhones.

Hackers have discovered a new jailbreak “hole” in iPhone OS 3.1.x. It’s called the usb_control_msg(0x21, 2) exploit. For the first time, this allows iPhone 3GS users to jailbreak their iPhones right “out of the box” — no matter what version of the OS the iPhone is running. Yes, this means if you have an non-jailbroken iPhone 3GS running the latest iPhone OS 3.1.2, you can now jailbreak it. Admittedly, I had been skeptical that this would ever happen.

This news gets better. The procedure to jailbreak these (or any other jailbreakable iPhones and and iPod touches) is once again a simple almost-anyone-can-do-it procedure. Although there are a couple of different jailbreak utilities available, I recommend PwnageTool 3.1.4 (you’ll find links to it at the bottom of this Dev-Team Blog article).

In my case, I simply launched PwnageTool, selected Simple mode, and clicked the iPhone 3GS image. After following a few prompts, I wound up with a customized version of the iPhone OS firmware update file (iPhone2,1_3.1.2_7D11_Custom_Restore.ipsw). Next, from within iTunes, I selected to restore my iPhone using this custom .ipsw file. To do so, I clicked the Restore button from the iPhone’s Summary screen while holding down the Option key. I then selected the .ipsw file from the Open dialog that appeared. Yes, this meant I had to restore all my settings, apps and media to the iPhone. But that just required taking the time; the process itself is quite easy. If you need more help with any of this, you’ll find good tutorials at iclarified.com (although I did not find it necessary to follow their recommendation to use PwnageTool’s Expert mode).

PwnageTool

Figure 1: PwnageTool

When done, I had a jailbroken iPhone with all my apps, photos, music, video and podcasts restored. Everything worked fine.

At this point, you’ll find two new apps on your iPhone: Cydia and Icy. You use them to install additional third-party apps. Launch either one, browse through its selections and install what you want. The process works similarly to using the App Store installer. Again, if you need help, various Web sites offer tutorials (such as this one).

Cydia Apss intsalled

Figure 2: Left: The Cydia app. Right: Cydia, Icy, Terminal, and iFile icons in the fourth row.

All I wanted from my jailbreak was convenient root access to the iPhone — so I could do the various troubleshooting and tweaking for which root access is required. To do this, I installed three apps: MobileTerminal, iFile, and Netatalk. [Note: Netatalk is a faceless app; that means there will be no app icon on your Home screen for it.] Here’s briefly what each of these apps do:

• MobileTerminal works like Mac OS X’s Terminal application, except it runs on the iPhone.

• iFile is a Finder-like utility that allows you to navigate to, view and even modify virtually any file on your iPhone — via a much more user-friendly interface than MobileTerminal.

• Netatalk is especially cool. With it, you can wirelessly mount your iPhone on your Mac, via your local Wi-Fi network. Your iPhone’s name shows up on your Mac in the Shared section of the sidebar list in any Finder window. To connect, just click the name (first making sure the iPhone is not asleep). You will be asked to enter a user name and password (enter “root” and “alpine”; the defaults). Once a connection is made, your iPhone becomes like a mounted external hard drive. You can copy files between the iPhone and the Mac at any folder location. You can even edit files directly on the iPhone. For more help, check the User Guide built-in to the Cydia app: Copying Files to/from Device.

Note: You may want to change the root password for the iPhone — so others cannot use the known default password to connect to your iPhone. Another Cydia User Guide explains how: Change Default Password.

There are several alternatives to Netatalk for connecting your iPhone to your Mac. One is to use the Web Server built-in to the iFile app. With this, the contents of your iPhone are accessible via a Web browser. Second, with a jailbroken iPhone connected to your Mac via a USB cable, you can use DiskAid to access the root level contents of the iPhone. Finally, for those comfortable with using Terminal, there is the option to establish an SSH connection.

Netatalk sharing

Figure 3: With Netatalk installed on my iPhone, “Ted’s iPhone 3GS” appears in the Shared section of my Mac’s Finder sidebar.

I hadn’t initially intended to go into all this detail. But I could see no better way to communicate why jailbreaking can clearly be “worth it.” For those with less geeky interests, there are variety of other apps and customizations (including games and Home screen themes) that you can install via Cydia or Icy. There’s even an app that allows you to run other apps in the background (I haven’t tried it yet). Still, for me, the main reason to jailbreak is root access.

Bad news. For jailbreakers, there’s also been some significant bad news in the past few weeks:

• Everyone concedes that the usb_control hole is likely to be plugged in the next update to the iPhone OS. At that point, unless some newer hole is discovered, the situation will return to the fairly dismal state that I described in my previous article.

There’s one bit of good news even here. If (like me) you take advantage of the currently open window to jailbreak your iPhone, you can use the Cydia app to put your iPhone’s “ECID SHSH” data on file with Cydia’s server. All you need do is tap a button after you launch Cydia (notice the text, near the top of Figure 2-left, that confirms I’ve done this). This should allow you to continue to jailbreak your iPhone in future OS updates, even if everything else gets plugged up.

• PwnageTool 3.1.4 does not work with an un-jailbroken iPod touch 2G or any iPod touch 3G. Support may come with the next version of PwnageTool. Or it may not.

By the way, you may have heard about tethered jailbreaks, especially for the iPod touch. This refers to a jailbreak where, if and when you ever need to restart your device, you need a wired connection (tether) to some other device to do so. These are only used if no un-tethered jailbreak exists. In my opinion, avoid tethered jailbreaks; they aren’t worth the hassle.

• In an unusual move last week, Apple modified the BootROM of currently shipping iPod touch 3G and iPhone 3GS models. This had the effect of blocking a jailbreak exploit, called 24Kpwn, for these models (see ars technica and iclarified articles for details). Apple made no announcement of this. It just silently made the change. As I understand it (and I admit to some confusion here), current jailbreaking utilities use this exploit (in addition to the usb_control exploit noted at the top of this article). This means that the now shipping iPhone 3GS can no longer be jailbroken…period.

Bottom line: If you have an iPhone 3GS (except for the ones that began shipping last week) and you want to get aboard the jailbreak train, now is your chance. Get on board before the train leaves the station (via the next iPhone OS update). More generally, the long-term outlook for jailbreaking remains as gloomy as ever. Expect Apple to continue to make it as difficult as possible to jailbreak. That may mean impossible. For now, I’m just glad to once again have the joys of a jailbroken iPhone.