Howto: Run custom apps on iPhone (Part #1)
Category: Blog

After getting numerous inquiries from coworkers and friends, decided to write a cohesive howto guide on getting custom apps on your iPhone. Yes, there are numerous sources of information all over the net, but I haven’t seen (keyword, I haven’t, maybe you have) a howto which covers everything from start to finish. This will be a multi-part series (mainly because I don’t want to type so much write now) so stay tuned for the complete guide. For all of these instructions, I am going to assume you are on a Mac. I’ve not seen any way to build apps using the toolchain on Windows and since that is the whole point of this howto series, I won’t go into any Windows related stuff (sorry!).

First things first, you need to get access into the iPhone outside of normal Apple channels. I’ve tried numerous different methods with varying levels of success, but the one I have found easiest is to use Jailbreak combined with iPHUC. Yes, yes, you can do all of it with just iPHUC now, but I have found Jailbreak to be far easier and less error prone to get out of the chroot jail. So, first things first, you need to download a few things:

iPhone Restore Image

The restore image is really a zipfile, so if it didn’t uncompress automatically, then rename the file with a .zip extension and extract it. Now create a directory somewhere (like your home dir) named ” phonedmg “. Inside this directory put the _contents_ of the iPhone1,1_1 from the extracted restore image. Make sure you put the contents (aka two disk images, a directory, and two files) and not the directory itself! Now also extract Jailbreak and put it’s contents there too. Next you are going to run Jailbreak (if I need to tell you how to run it, you should really stop here). Follow the instructions it gives to put the phone in restore mode and a couple moments later your phone should now be fully accessible. If you are curious the steps it is performing behind the scenes, read this twiki page on “How to escape Jail” which is more or less the same steps (except it does it in a different order, but essentially the same thing). I chose to use the automated method as the steps are a bit tedious and there is no perceived benefit I can tell from using the manual steps.

Now that we have complete access to the phone’s filesystem, we will install a basic SSH server to help us with the bootstrap process. The first step is to download and compile iPHUC. The build process is as follows (lifted from here, only reprinted to keep you from having to jump around):

  1. Download and install MacPorts
  2. Open Terminal and issue the following commands (these instructions assume you have xcode developer tools installed and put your phone software in ~/phonedmg):
    sudo port selfupdate
    sudo port install readline
    cd ~/phonedmg/
    mkdir tools-src
    cd tools-src/
    svn co iphuc-src
    cd ./iphuc-src/trunk/iPHUC/
  3. Get the most recent version of MobileDevice.h and save a copy to ‘MobileDevice.h’ in the iPHUC directory
  4. Patch NormalInterface.cpp with the following patch:
    Index: NormalInterface.cpp
    --- NormalInterface.cpp ( revision 8 )
    +++ NormalInterface.cpp ( working copy )
    @@ -1,4 +1,4 @@
    -#include "normalinterface.h"
    +#include "NormalInterface.h"
     #include "Shell.h"
     int n_pwd(string *args, struct shell_state *sh)
  5. Build iPHUC via the following (ignore warnings if everything builds):
    ./ && ./configure --with-readline=/opt/local && make
  6. Copy iPHUC into your phonedmg folder (not required, but I like to keep everything in one convenient spot)

Now that you have built iPHUC, it’s time to get shell access on the phone. We first need to download dropbear for iPhone. Ultimately, dropbear isn’t the SSH server we will stay with, it’s just easier to get it going first. After downloading it, extract it into ~/phonedmg/dropbear. We also need to create ourselves some SSH host keys which we can do by:

  1. Download dropbear source code
  2. Do the normal ./configure && make routine (no need to install, we just need one thing from it)
  3. Generate the host keys via:
    ./dropbearkey -t rsa -f dropbear_rsa_host_key
    ./dropbearkey -t dss -f dropbear_dss_host_key
  4. Copy these two files to your ~/phonedmg folder and then you can delete the dropbear stuff you downloaded in this part as it’s no longer needed

With that completed, now let us upload the stuff to the phone. We do this by firing up iPHUC and following these steps:

  1. Upon running iPHUC, you should see something like the following (if you don’t, then leave a comment or contact me and hopefully I can help you):
    localhost:~/phonedmg $ ./iphuc
    iphuc 0.5.0
    >> By The iPhoneDev Team: nightwatch geohot ixtli warren nall mjc operator
    initPrivateFunctions: this is still not clean.  Architecture: i386
    AMDeviceNotificationSubscribe: 0
    CFRunLoop: Waiting for iPhone.
    notification: iPhone attached.
    AMDeviceConnect: 0
    AMDeviceIsPaired: 1
    AMDeviceValidatePairing: 0
    AMDeviceStartSession: 0
    AMDeviceStartService AFC: 0
    AFCConnectionOpen: 0
    AFCPlatformInit: (no retval)
    notification: Entering shell in Normal Mode.
    shell: Entering loop.
    (iPHUC) /:
  2. Now we need to tell iPHUC to use the special AFC by typing in ” setafc “. You should see something like the following:
    (iPHUC) /: setafc
    AMDeviceStartService AFC: 0
    AFCConnectionOpen: 0
  3. If that’s what you see, then do an ls and make sure you see things resembling a normal root filesystem path (/Applications, /usr, /System, etc). Again, if not, you got a problem.
  4. Now let’s get some files in various places which we need. Execute the following commands:
    getfile /System/Library/LaunchDaemons/
    getfile /usr/sbin/update update.original
  5. Now that we have originals of those files, we can upload our files to the phone by doing the following commands back in iPHUC:
    putfile /Users/(your username)/phonedmg/dropbear/sh /bin/sh
    putfile /Users/(your username)/phonedmg/dropbear/chmod /bin/chmod
    putfile /Users/(your username)/phonedmg/dropbear/chmod /usr/sbin/update
    putfile /Users/(your username)/phonedmg/dropbear/dropbear /usr/bin/dropbear
    putfile /Users/(your username)/phonedmg/dropbear/au.asn.ucc.matt.dropbear.plist /System/Library/LaunchDaemons/au.asn.ucc.matt.dropbear.plist
    putfile /Users/(your username)/phonedmg/dropbear/ /System/Library/LaunchDaemons/
    mkdir /etc/dropbear
    putfile /Users/(your username)/phonedmg/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key
    putfile /Users/(your username)/phonedmg/dropbear_dss_host_key /etc/dropbear/dropbear_dss_host_key
  6. Now we need to reboot the phone _twice_. The first time will set execute permissions on our binaries, the second time will actually start the ssh daemon (since it will now be executable). You do know how to reboot your phone, right?
  7. Now we need to make sure SSH is working. First make sure you are associated with a wifi network on the phone and get the IP address (logically your laptop and phone need to be on the same wifi network). Then SSH to the phone using username ” root ” and password ” dottie “. If all is well, then we will want to restore the update daemon back to normal. Do this via the following two commands in iPHUC:
    putfile /Users/(your username)/phonedmg/ /System/Library/LaunchDaemons/
    putfile /Users/(your username)/phonedmg/update.original /usr/sbin/update
  8. Now, before continuing any further, we need to secure the phone a bit. Since everyone who has hacked an iPhone (and many who haven’t) now knows your root password, let’s fix that. Run the following command in a normal terminal window:
    perl -e 'print crypt("MYPASSWORD", "XX");'

    Replacing MYPASSWORD with a password and XX with any random two letters (it’s the salt). The easiest way to replace the passwords is to do a “getfile /etc/master.passwd master.passwd.original” in iPHUC, edit both the root and mobile users’ passwords, and the do a “putfile /Users/(your username)/master.passwd.original /etc/master.passwd”.

With that, this first part of the series is now complete. You have successfully hacked your iPhone and got an SSH server running on it. In the next part of the series, I will detail how to install a better SSH server, get basic unix commands on the phone, setup your toolchain/build environment, and then build and install a terminal GUI app on the phone.


8 Responses to “Howto: Run custom apps on iPhone (Part #1)”

  1. [...] getting full access to your iPhone and a basic SSH server running. If you haven’t read Part #1 yet, please do so before continuing here. In this post, we will actually get our toolchain setup as [...]

  2. [...] were all promised! Thanks to the folks at iPhone Dev Wiki, and the binutils project, and these two pages for getting us up and running within [...]

  3. [...] finally settled on a couple of different sources. Jeremy Johnstone

  4. [...] Johnstone demo’d to us the hard way in step by step. He has the instruction on his blog. (Part1, [...]

  5. [...] Howto: Run custom apps on iPhone (Part #1) Howto: Run custom apps on iPhone (Part #2) [...]

  6. [...] the files system on iPhone. Hackers since have accessed to the files system and detail here: “How to Escape Jail“. To a typical user, the OS X file system is [...]

  7. mian says:

    superb…i found this link while trying to recover my from and disabled iphone. i know the passcode but my iphone is in disabled state. i connect it to my itune but it did not ask for passcode again. please give an advice i would appreciate it .

Leave a Comment

Spam Protection by WP-SpamFree