iPhone Hacking Kit, the next generation

PLEASE NOTE THESE TECHNIQUES WERE POSTED IN SEPTEMBER 2007 AND ARE ONLY APPLICABLE TO 1.0 VERSION IPHONES.

In mid-August, I posted a detailed guide to hacking your iPhone here at iPhone Central. In those free-wheeling bygone days of iPhone hacking you customized and manipulated your phone using a combination of a simple “jailbreak” application and a lot of command-line work in the Mac terminal. To hack your phone then, you had to have access to a lot of different files, you had to transfer these files using arcane commands, and you had to make sure not to screw up, or miss any steps, lest you be forced to start over. If things went well, the entire process took 30-45 minutes.

All of this was possible, of course, thanks to the work of some extremely smart, talented, and resourceful hackers from around the world. Working without any official documentation or tools from Apple, they managed to create — very quickly — an entire iPhone development system, and then use it to create a number of applications.

Now those same hackers have opened up the iPhone even further, allowing hacking “for the rest of us.” In addition to making it possible to hack your phone without ever launching the Mac terminal, or entering a command-line phrase, they’ve created an automatic software update and installation system that is far cooler than any iTunes-based scheme that might come along.

So, while hacking your iPhone the old fashioned way is still a fun way to get to see the guts of the phone’s OS, and possibly learn a little Unix along the way, it’s now much easier to use some of the new tools that are available.

In this tutorial, we’ll walk through exactly what those tools are, where to find them, what they do, and how you might want to augment them with a little extra work, depending on the level of hackery that you want to employ.

Onward to the instructions, after the jump.

Uh, again, why would I hack my phone?

Back in ancient times (a few weeks ago), the reasons to hack your iPhone fell largely into the "it's a cool thing to do"/"it's fun"/"it's really geeky" type categories. There were some very handy applications available at the time, such as a screenshot application, but it was largely an exercise in learning about the phone. iPhone hacking is still a good exercise, but there are more and more useful applications arriving all the time.

In addition to games such as a very workable Nintendo emulator, there's now a serviceable AIM client, an RSS reader, a text editor, voice recorder, Twitter client, and more. (See lists at Ste Packaging and Conceited Software.)

And, while it's theoretically possible to screw up your phone by messing around with it, I have yet to hear of a single occurrence of a phone being "bricked" or in any other way messed up to the point where it couldn't be fixed by simply doing a restore.

That said, before you get started, sync your phone so that you've got a good backup, and then dive in. If you want to be very cautious, do a restore of your phone, then sync it (restore from your backup, don't treat it as a new activation) then choose Settings: General: Reset: Reset All Settings. This will give you a very clean phone for the start of your hacking escapes.

AppTapp

iPhone hacking, and all future application installation and updating is now handled by a single application developed by Nullriver, Inc. At the time of this writing, the application is at version 3.0, but development is proceeding very quickly - sometimes with one or two updates a day.

You can download AppTapp for free. AppTap is a Mac application, not something you run on your iPhone. Double-click it and follow the on-screen instructions:

When it asks, select the firmware version that your iPhone is using. If you're not sure which version it's using, you can ask the iPhone itself. Tap Settings: General: About, and you should see a listing for Version.

Select this version in AppTap and click Continue. AppTap will show a progress bar, and ask you to be patient while it takes the 2-3 minutes it needs to hack your phone.

What it's doing is using the same jailbreak exploit that I described in my original hacking article - the exploit that you used by hand using the iFuntastic utility. Basically, what's happening is that AppTap is taking the place of iTunes, interrupting the communication that iTunes would normally be having through the iPhone's USB cable, and using that communications channel to copy files directly to the phone.

Remember, your iPhone is running Unix, just like your Mac, so AppTap is capable of copying files and installing lots of standard Unix routines by simply using tried-and-true Unix protocols and procedures. This is one reason that iPhone hacking is not such a dangerous thing: you're simply using the iPhone's operating system in the way that it was intended to be used. After a simple hardware hole has been exploited.

When AppTap is finished, your phone will restart and iTunes will launch. You're done! Your phone is hacked!

So what do I get with this hack?

In case you haven't already noticed, there's now an additional icon on your iPhone's home screen (a screen otherwise known as the "Springboard"). This is Nullriver's excellent, very clever Installer application.

Installer not only knows how to install software, it automatically checks with a central database to find out what applications are out there to be had, and whether or not any of your installed applications have updates available. As with any other online function, Installer will work quicker with a Wi-Fi connection than with an EDGE connection. However, most iPhone apps are very small, so even over Edge you can grab new versions fairly quickly.

Tap Installer to launch it. It will immediately check with the Installer "mothership" to find out what new options you might have. Most likely, the first thing that you'll see will be the Update screen, which will offer you an update to the Installer itself. If it doesn't appear automatically, tap the Update tab to see if there's an update to Installer. Tap this and a screen will present that shows you some details about the package. Tap Install to install the package.

When it's done, it will ask you to restart the Installer. Press the Home button on the phone and then wait a moment while it thinks for a bit. You'll see a small Mac-like spinning gear icon in the center of the screen while it thinks. Your phone will eventually return to the unlock screen.

Now run the Installer again. Now you should see a list of applications divided into different categories: Community, Games, Network, Ringtones, and System. Within each of these will be applications that you can tap on to install.

Right off the bat, you should install Community Sources, which will open up the Installer app to many more applications. Tap it, then tap the Install button. Basically, these are all applications that are not maintained by Nullriver, so they have been grouped into a separate installation set. It's up to you to decide if you trust them or not. So far, I haven't had any trouble with any of these apps.

The four tabs at the top of Installer app let you switch between Installing apps provided by the main app server, updating apps that you've already installed, uninstalling something you've already installed, and viewing "source" information about the developers of the apps you've installed.

Every time you launch Installer, it will automatically phone home, update its program list as needed and -- if anything you've installed has since been updated -- will automatically take you to the Update pane. This means you can install, update, and remove programs without being reliant on a Mac or iTunes at all. The iPhone itself becomes a completely self-sufficient, self-sustaining and self-modifiable computer. This is a very cool hack that we can only hope will survive future firmware updates.

Install an App

Now try installing an actual application. Your Install page may differ from the ones shown here, as new applications are released and updated. But you should have a listing for ApolloIM, an iChat-compatible chat client that, at the time of this writing, is in version 0.1.1.

Tap it in the Installer, then hit the Install button. As before, the Installer will go to the server, download the app, and install it. When it's finished, click the Home button to relaunch the Springboard, and you should see a new ApolloIM icon.

Apollo is a great first effort, and now that you have it installed, Installer will automatically notify you when it's updated. You can define multiple accounts in Apollo, but only one can be specified as the active account. This is the one that will be used when you log on. (Another chat client has also arrived on the scene, MobileChat.)

Here's what some of the other things are that you'll find in Installer:

• Under the Development category, you should see Perl, Python, and Ruby and yes, these are full implementations of those scripting languages.

• Under Games you'll find a few listings, but many of them, such as Aquarium, iPhoneDoom, and Zune2 are really just development exercises that serve to explore some of the tools that have been developer tools that have been built for the iPhone. There are three games that are worth looking at:

• Lights Off is a completely native iPhone game wherein you try to get all of the lights on a grid lit by tapping on different square. Each square that you tap on lights a different selection.

• NES is a full-blown Nintendo Entertainment System emulator. Now at version 1, the system is very playable thanks to its exploitation of the iPhone's Multitouch interface and landscape screen mode. For this to work, you'll need to install special ROM files, something we'll look at later.

• Frotz is an interpreter for the old Infocom text adventure games. If you enjoy "interactive fiction" this is a great time suck application to have on your phone. As with NES, you'll need to copy some additional files, a process we'll detail later.

• Under Multimedia, you'll find SendSong, which lets you email any song in your iTunes library using the iPhone's mail program. This is a great way to share music with your friends and attract a lawsuit from the RIAA. SendSong displays a simple scrolling list of every song on your iphone. When you click on one, you get a simple list of options, including the option to use the song as a ringtone! Note that after after you've sent the song to ringtones, you still need to go to Settings: Sound: Ringtones, and then select the song. If you later want to remove that song from the Ringtones list (which will free up some storage space) click the Edit button in Song Sender, and delete the song.

You'll also find VNotes, a simple voice recorder.

• Under Network, you'll find a full Apache web server; DNS Tools, which provides command-line DNS utilities; and TinyProxy, which is a proxy server. While most people will probably not want to host their web site from their phone, there are some other cool, handy applications in this section: BitchX and iRCm are IRC clients that lets you chat on Internet Relay Chat channels. MobileTwitterrific is a Twitter client, if you're into Twittering. ncftp is a command line FTP client that lets you transfer files to and from your iPhone using standard FTP commands.

• Under Productivity, you'll find Books, an eBook reader; two flash card applications; MobileMoney, a simple finance application, and a file manager called Squid which lets you browse your iPhone's directory structure and change permissions for any file, just as you would from the command line using chmod.

• Under Ringtones, you'll find the Nullriver Ringtone Pack, a collection of ringtones by the author of Installer.

• Under System, you'll find Dock and Launcher, two applications for handling the fact that the Springboard doesn't scroll. If you want to install more than four applications, you'll need one of these programs. Launcher simply provides a second screen containing more icons, while Dock presents a small yellow blob in the lower right corner of the screen. When you tap and drag on it, you see an array of installed apps. Note, though, that Dock is incompatible with some command-line applications such as those found in Erica's Utilities. You'll also find two terminal applications, which we'll come back to in a bit. You should find BSD Subsystem, and OpenSSH, which we'll also return to in a bit.

Finally, under Utilities, you'll find iLight, which turns your iPhone into a blank white screen to serve as a flashlight; MobileFinder, another file browser; MobilePreview, which lets you view image files in MobileFinder; MobileRSS, an RSS reader; MobileTextEdit, a simple text editor that also requires MobileFinder; rSBT, which lets you re-order the icons on your Springboard; and SwapTunes, which lets you sync with two different iTunes libraries.

And finally, there's Erica's Utilities, a very handy set of command-line utilities written by Erica Sadun (also the author of SendSong and VNotes) that you can read more about here.

Taking More Control

As you can see, with just the Installer app and the applications available, you can do a fair amount of customization of your phone, from adding new applications, to adding custom ringtones, to re-arranging your Springboard.

Now we're going to talk about going a little bit deeper. We're going to install some additional standard Unix commands so that you can easily copy files to and from your phone. This is required for adding game files for the NES and Frotz games. We're also going to install SSH, which will allow you to take advantage of many of the command-line iPhone utilities such as screenshot applications and more.

From the Installer's System category, install BSD Subsystem. This will give you a suite of standard Unix commands, including the ability to make and remove directories and, most importantly, the SCP command, which lets you transfer files to and from the iPhone.

Next, click on OpenSSH. This will install a Secure Shell on your iPhone, which will let you control the phone from a Mac terminal window. With these packages in place, we're ready to try some additional hacks. You won't see any new icons in your Springboard, as these are all command-line applications that have been installed.

Now we're ready to install and remove additional files. For example, if you've installed NES on your iPhone you'll want to install some ROM files for your favorite games. First of all, you've got to have the ROM files. These are "around" and you should be able to "find" them fairly easily.

You have several options for how to move files to your phone. To use any of them, you'll first have to determine your phone's IP address. On the phone, go to Settings: Wi-Fi and click on the details button for your chosen network.

The easiest way to move files to and from your phone is to use an FTP program on your Mac, such as Panic Software's Transmit, which is the FTP program I'll use for this example. Launch Transmit, and click the Connect tab. Change Protocol to SFTP, then enter your iPhone's IP address in the Server field. Enter root for User Name and dottie for the password. Then click Connect.

Your iPhone's root directory should appear. Navigate to /var/root/Media and create a new folder called ROMs. Open that folder and create a new folder inside it called NES. Open that folder and then copy your unzipped ROM files into it.

If you don't have access to an FTP client, you can open a Terminal window on your Mac and use the SCP command to move files back and forth. See my previous tutorial on how to use SCP.

Frotz game files go in /var/root/Media/Frotz/Games

Once the files have been copied, they should appear when you launch either app.

You can use that same IP address to connect to your phone via the command line using ssh. From the terminal, enter ssh root@[ip address] and then, when prompted, enter the password dottie. You should see a prompt indicating that you're now in a shell on the phone. The first time you connect, it can take a long time--up to a minute--to connect. That's because OpenSSH is creating the keys needed for the Mac to securely talk to the iPhone. Future connections will be much faster. The BSD Subsystem that you installed includes most of the commands that you'll be used to if you have any terminal experience.

From this shell, you can use Erica's Utilities, which provides a number of excellent, handy functions such as screen shots and the ability to email full-res files from the iPhone's camera (rather than the 640-by-480 down-sampled versions that it usually generates.

You might also want to ssh into your phone and change its default password. Now that you have ssh, scp, and ftp on your phone, it's possible for someone in public to hack into your phone, since you're using a widely known password. But it's very unlikely that this would ever happen. To generate a new password, follow the instructions in my previous tutorial. (And if you've already generated your master.passwd file from the previous hacking kit, you can skip that step and upload the master.passwd file into the right place.)

More to come

Just in the time it's taken me to write this article two more games have appeared in the Installer menu. This is how quickly development is proceeding. What's great about Nullriver's Installer program is that you don't have to watch lots of web sites, trawl through an IRC channel, or generally be in the know to keep abreast of the coolest new apps. Just launch Installer, and see if anything new shows up.

What we haven't looked at in this article are the simple hacks that you can perform with iFuntastic version 3, a free app that lets you add custom ringtones, change the Springboard background, re-arrange your Springboard icons, and more.

Apple's most recent firmware update did not alter anything about the exploit that makes jailbreaking an iPhone possible, nor did it initiate any type of checksumming that would cause the phone to delete installed or altered files. Hopefully this is a sign that Apple is at least passively supportive of the development that is going on, and will allow it to continue.

The named, nameless, and psuedonymic hackers that have made this possible deserve a great deal of thanks, and many of them provide paypal buttons that let you donate money. If you want to see this type of development continue, throw a few dollars their way.