I’ve just managed to give Zibri’s new jailbreak tool (ZiPhone) a try, Zibri claims this tool can jailbreak/activate all versions of firmwares, unlock BL4.6 phones, changing BL4.6 IMEIs, and even revive BL4.6 bricks. I’m only interested in its jailbreak/activation part because I don’t have a BL4.6 phone.
Here’s the tool: ZiPhone - Zibri’s Multipurpose Utility (Original: http://zibree.blogspot.com/2008/02/ziphone.html)
Excerpt from the README.txt:
Unlock and Imei changer will work ONLY on 4.6 BL (112 and 113 ootb).
Jailbreak will work on any OS version.
Activation will work on any OS version, except for youtube on 1.0.X (I am lazy i know).
As a side-effect, using this tool will revive many ‘dead’ basebands.
Just use the unlock option.
I restored my BL 3.9 phone to 1.1.3 with iTunes, then tried to jailbreak with ZiPhone. My first attempt was on a Leopard which did not succeed, ZiPhone crashed each time after iPhone entered recovery mode, I assumed it’s designed for Tiger only but I didn’t have a Tiger environment to test it. So I turned to Windows, and tried with different methods:
Attemp 1
I first tried to do a standalone jailbreak first, followed by an activation:
ZiPhone -j
ZiPhone -a
Even though both commands executed without error, iPhone still unactivated.
Attemp 2
Then I fed both jailbreak and activation parameters in a single command line:
ZiPhone -a -j
This time it worked, iPhone was jailbroken and activated.
The phone was activated and had the Installer settled, so it’s easy to setup the basic environment in a few minutes, I installed BSD Subsystem and OpenSSH, then logged in to start my investigation.
I took some time to check if it’s another clone of dev team’s software upgrade, so I compared the kernelcache, it’s exactly the same as the one in the decrypted 1.1.3 rootfs image, so it’s a real 1.1.3 jailbreak, not a 1.1.3 running 1.1.2 kernel.
Then I checked how it patched the lockdownd, a binary comparison showed the lockdownd is patched exactly the same way as in dev team’s and natetrue’s software upgrades.
Later, I did a synchronization with iTunes, all was fine, media files were sync’d to /var/mobile/Media folder, nothing to do with root account.
At the end I checked some vital permissions:
/var/root/Library permission 777
/var/root/Library/Preferences permission 777
/var/db/timezone permission 777
The jailbreak had properly set the most important folders permissions, nice.
My phone baseband is 04.03.13_G which had already been unlocked with IPSF-alike method before, so after I sent an unlock command to baseband, it picked up my carrier, phone functions started working.
I took some time playing around with some applications, the result was satisfactory:
Phone Status: 1.1.3 + 04.03.13_G (BL3.9)
Call in/out: working
SMS in/out: working
WiFi: working
EDGE/GRPS: working
YouTube: working
Google Map Location: working
iTunesStore: working
Bluetooth: working
Congratulations to Zibri! This is a great REAL firmware 1.1.3 jailbreak!
Some Limitations
1. ZiPhone does not work on Leopard, this is inconvenient considering many people have upgraded to Leopard.
2. ZiPhone does not set the afc2, so you can’t access rootfs with iPHUC before manually setting it up (and this requires you installing OpenSSH first), this is not convenient because sometimes it’s good to do some file manipulations with iPHUC. E.g. my Internet link is slow, so I’d like to put a modified RemotePackages.plist onto iPhone so that Installer can download from my local sites, without afc2 this simply is not possible.
UPDATE: BTW, to add afc2 so that iPHUC can access rootfs, add the following lines to /System/Library/Lockdown/Services.plist:
- <key>com.apple.afc2key>
- <dict>
- <key>Labelkey>
- <string>com.apple.afc2string>
- <key>ProgramArgumentskey>
- <array>
- <string>/usr/libexec/afcdstring>
- <string>–lockdownstring>
- <string>-dstring>
- <string>/string>
- array>
- dict>
Please be careful not to mess the file, a
No comments:
Post a Comment