Void's Forums

I'm sure someone else has probably figured this out by now but it's pretty easy to mount the firmware image under linux. First get yourself a copy of the firmware from the Apple site and then:

Code: Select all

$ unzip iPhone1,1_1.0_1A543a_Restore.ipsw
$ dd if=694-5259-38.dmg bs=2048 skip=1 of=/tmp/iphone.img
$ file /tmp/iphone.img
/tmp/iphone.img: Macintosh HFS Extended version 4 data last mounted by: 'H+Lx', created: Tue Jun 26 18:40:30 2007, last modified: Tue Jul  3 21:20:16 2007, last checked: Tue Jun 26 20:40:30 2007, block size: 4096, number of blocks: 3838, free blocks: 440
# mount /tmp/iphone.img /mnt -o loop


Then:

Code: Select all

$ ls -l /mnt
total 4
drwxr-xr-x 1 root root  9 2007-06-26 20:40 bin
drwxr-xr-x 1 root root  2 2007-05-22 22:54 dev
lrwxr-xr-x 1 root   80 11 2007-06-26 20:40 etc -> private/etc
drwxr-xr-x 1 root root  2 2007-05-22 18:05 mnt1
drwxr-xr-x 1 root root  2 2007-05-22 18:05 mnt2
drwxr-xr-x 1 root root  3 2007-06-19 17:42 private
drwxr-xr-x 1 root root  8 2007-06-26 20:40 sbin
drwxr-xr-x 1 root root  4 2007-06-26 20:40 System
drwxr-xr-x 1 root root  7 2007-06-26 20:40 usr


Then:

Code: Select all

$ cat /mnt/etc/master.passwd
##
# User Database
#
# Note that this file is consulted when the system is running in single-user
# mode.  At other times this information is handled by lookupd.  By default,
# lookupd gets information from NetInfo, so this file will not be consulted
# unless you have changed lookupd's configuration.
##
nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
root:XUU7aqfpey51o:0:0::0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:0::0:0:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1::0:0:System Services:/var/root:XUU7aqfpey51o
unknown:*:99:99::0:0:Unknown User:/var/empty:/usr/bin/false


Talk about weak passwords:

Code: Select all

# john /mnt/etc/master.passwd
Created directory: /root/.john
Loaded 2 password hashes with 2 different salts (Traditional DES [64/64 BS MMX])
alpine           (mobile)
dottie           (root)
guesses: 2  time: 0:00:00:57 (3)  c/s: 372674  trying: dewMso - dotty1


Probably totally useless information. Then again, there is a second file system image (694-5262-39.dmg) that is encrypted (encrcdsa) and maybe the password from the first one is the passphrase to decrypt/mount the second file system. I'm not sure if there is a way to decrypt encrypted dmg images in Linux. I would never purchase one of these overpriced closed up pieces of craps.

Actually I'll bet these are the keys to decrypt the second dmg file system image:

Code: Select all

$ ls -l /mnt/System/Library/Lockdown/
total 16
-rw-r--r-- 1 root root 1204 2007-05-26 15:39 SBOOT_S5L8702_DEV.pem
-rw-r--r-- 1 root root 1204 2007-05-26 15:39 SBOOT_S5L8702.pem
-rw-r--r-- 1 root root 1204 2007-05-26 15:39 SBOOT_S5L8900_DEV.pem
-rw-r--r-- 1 root root 1204 2007-05-26 15:39 SBOOT_S5L8900.pem


My guess is if you have a Mac (I don't and have never touched one) you could use the "hdiutil" utility along with those keys to mount the encrypted image. Maybe I can find a way to decrypt them in Linux.

EDIT: Actually it appears a couple of the keys are used by the "asr" (Apple Software Restore) command:

Code: Select all

$ strings /mnt/usr/sbin/asr | grep Lockdown
/System/Library/Lockdown/SBOOT_S5L8900.pem
/System/Library/Lockdown/SBOOT_S5L8900_DEV.pem


Man page:
http://developer.apple.com/documentatio ... asr.8.html

Maybe that command used with the related keys will extract the encrypted dmg file. Just speculating...

get bored much?

Ah the less i hear about the iphone the better. It's so closed... you cant even edit files on it apparently... only view them. What kind of "smart" phone is that.

bah!

(although what a nice way to poke fun at a company... by looking up the passwords and all that jazz in their image.)

it's just a bloody phone! and a crap one at that. It's only "innovation" is that the keypad's on a screen instead of using rubber buttons.

And a bigger screen...on the back....

It's the mobile phone version of starbucks. Without them, we never could have imagined paying $5.00 for a small cup of coffee.

JoeDude wrote:It's the mobile phone version of starbucks. Without them, we never could have imagined paying $5.00 for a small cup of coffee.

Heh heh, that's a good one. It's funny that when I was a kid you could get a cup of coffee anywhere for a dime. Of course you could get a gallon of gas for a quarter. :)

I think there is some other phones without buttons (theres an LG that comes to mind), the only thing is that this has their new multitouch screen. Thats kinda cool, but not really.