Installing the Recovery Toolkit (Firmware v2.x)
The latest v2.x firmware changed much about how the iPhone communicates, warranting the need for a different approach to “owning” (or as some like to say, “pwning”) the firmware in order to install a recovery toolkit. The methods used for v2.x achieve the same overall goal as the previous techniques in this chapter: booting an unsigned RAM disk, which installs a recovery toolkit. The mechanism by which this is delivered, however, has changed considerably.
The procedure for v2.x involves taking advantage of a vulnerability in the iPhone’s boot ROM that allows it to accept unsigned firmware upgrades. A popular tool known as Pwnage exploits this vulnerability and builds a custom firmware package. Normally, this would destroy the filesystem on the iPhone, so before restoring the firmware, you’ll use another tool named Xpwn to modify the firmware “restore” to act as more of an “upgrade” to install your recovery payload. Thus, the procedure will install both the recovery toolkit and a patched operating system kernel, which is needed in order to run unsigned applications. The steps are rather involved, but once you’ve assembled the proper firmware bundles, you’ll be able to easily reuse them for future examinations. The overall plan follows:
Use Pwnage to hack the boot ROM on the iPhone and build a custom firmware package. At the time of this writing, all iPhones on the market are supported by Pwnage, and newer device models are generally added ...