Pumpkin from the iPhone Dev Team posted his thoughts. I found it interesting and posted it here for you all to read. It does a nice job explaining the situation with Zibri as well as how pwnage and iPhone 2.0 hacks work. Enjoy.

The following opinions are mine, and not those of the DevTeam as a whole, although many members agree with me:

Free thoughts…

There’s something that’s been on my chest for awhile, and it’s been bothering others on the team as well. The name of this particular thorn in our sides begins with the letter Z and ends with “ibri”. Yes, I’m sure all of you are rolling your eyes at the “drama” we hacker “kids” are stirring up, but I’m sure if you had your work taken without permission, you would feel the same way. It’s particularly galling that he is still spreading FUD on his blog in an attempt to save face. I’m going to try to address some of them in this post.

Zibri implies that our jailbreak is not “real”, saying instead that our release is a “software upgrade, total internat [sic] firmware modification and custom firmware”.

For him, a “real hack” works in a few minutes because it only needs to modify a few bytes here and there.

When Pwnage 1.0 was released, it was indeed the ultimate hack for the iPhone/iPod Touch. Never before had the devices been under the user’s control from the very bottom up. Prior, less sophisticated jailbreaks were still subject to the whims of the kernel, which couldn’t be modified because the bootloader checked its signature and refused to boot if it was incorrect.

Back in those days, the definition of “hack” above was still a feasible one, as the chain of trust ended at the kernel. Once you gained write access to the root filesystem, you could run arbitrary programs and make patches at will to many system components. Indeed, many such patches were needed, to make activation allow unapproved SIM cards, and to make Springboard display unauthorized apps.

Fast forward back to the present, and you’ll see the situation has changed. Solutions that using a ramdisk simply made a change or two to the filesystem now must contend with the mighty kernel’s signature checking of all installed apps and libraries. Mounting the root filesystem and modifying /etc/fstab to make it writable is quite alright, but the moment you make patches for activation or anything else, the kernel will refuse to run the modified programs, unless you can somehow steal Apple’s private signing key. Furthermore, such a jailbreak would be essentially useless because the system would refuse to run any of your custom software (such as Installer.app or Cydia), again because of the lack of signatures on it.

Given the above situation, it becomes clear that if you want to use 2.0 for anything but screenshots, you either need to get ahold of Apple’s signing key (start preparing your army now) or you need to patch the 2.0 kernel. Hard as we tried, we couldn’t find much of an army, so we took the latter approach.

We adapted our Pwnage technique to the 2.0 firmware, using a new unreleased exploit that we’d been keeping to ourselves, in the hope that Apple wouldn’t patch it. This allows us to cut the signature checks out of the device bootloaders, allowing us to remove signature checking from the kernel, and enabling you to run all the custom software and patches you please.

Please note other than my facetious army suggestions, patching the bootloaders is the _only_ way to get a functional jailbreak for 2.0. Under the aforementioned definition of “real hack”, there is no such thing as a “real hack” for 2.0. I hope you agree with me by now that Pwnage, the exploit it uses, and its subsequent obliteration of the device’s chain of trust, is a “real hack”.

More FUD is spread by this undying rumor of “Palladium” (or TPM) being used fully on Apple’s devices, making it impossible for you “to play online with legit buyers.” This is nothing but uninformed nonsense, and while there is the potential for some definition of trusted computing on iPhone and iPod Touch, Apple is not using it, and they have no way to remotely distinguish your pwned device from a legitimately activated one. This should have been obvious from our examples of running App Store applications next to our custom ones, but “obvious” is a very relative term.

On an unrelated note, I and the others take issue with Zibri’s definition of open source. No, Linux distributions are not stealing, but our work was not released as open source, with any kind of permissive license, so the open source he brings into the discussion is entirely irrelevant. He took our work, our private exploits (such as the unreleased one we were able to use for Pwning 2.0), and without our permission (trying to defame us with fake comments, no less) used them in his work, that he made significant amounts of money on. He did this not by selling “his work”, but by portraying himself as the reasonable “dev” who fought against the tyranny of the dev team and Apple, and requesting donations to his “cause” (recall his older iphone-elite.googlecode.com and his self-righteous bashing of the dev team for accepting donations; funny how principles change). Furthermore, with his millions of hits and occasionally obscene ads, he made his site into a complete money machine. So although he did not sell our work, it is more than fair to say that he made plenty of money from it.

And as to his most recent update, I’m not really sure what to say. I’d call it the swan song, but that would imply he was a swan, which is certainly not my intention. Maybe the chicken song would be more appropriate. ZiPhone was “developed” 9 months after the iPhone release, so he’s justifying his lack of releases now, okay. Once again he pushes the “real hack” idea, which we hope we’ve already pounded sufficiently into the ground above. We’re not sure how the fact that we were so popular it took down multiple unmetered gigabit servers is a point in his favor. We’ve had close to a third of his total visits since last week.

I want to dedicate a special paragraph to something that’s been bugging us for a while, too. The myth that ZiPhone never harmed a phone. Certainly, we all know that iPhones are almost impossible to brick, but flashing unmatched fls/eep pairs to the baseband is plain irresponsible on Zibri’s part. Does he not care about messing up phones, or does he simply not know better? And the laughable WiFi fix he released for issues that he called “user error” (actually a consequence of the above design choice) where he unconditionally set every ZiPhone WiFi MAC address to 0:Z:i:b:r:i? How did he expect that to work? It doesn’t take a networking genius to figure out that two such phones on the same network would cause havoc, and indeed it did.

The following few “facts” on his blog are just more FUD. Our tools can’t kill iPhones, because the only way to kill an iPhone through software (and even then just the radio) is to flash an incomplete image as the S-Gold bootloader. Apple cannot remotely kill pwned iPhones because as I mentioned earlier, it has no way to detect which iPhones are pwned.

I’m not sure why he goes on to say that you should be satisfied with Apple’s AppStore. It certainly contains many good programs, but to quote Zibri just a couple of weeks earlier:

As of today you will have 2 choices:
1) Believe in the community and don’t upgrade to 2.0
2) Say goodbye to Installer and freedom and upgrade.

So are you suggesting we say goodbye to freedom now? I guess we can’t expect much from someone who made a reputation for himself by denouncing the devteam for accepting donations (not even soliciting them) and who now has a website full of ads, exhortations to donate, and very little content? Now we have given you a nice opportunity to upgrade to 2.0, use the AppStore _and_ use community apps. If he really wanted the good of the community, why is he not recommending it?

I would normally just ignore his entries, but as many still look at Zibri as an authority in the scene, I felt the need to dispel some of the FUD he was spreading, and finally denounce his pathetic attempts to stay relevant. Posting the latest root filesystem key after we release PwnageTool? PwnageTool exposes all the keys right within its plist files. And if he knew about the DFU exploit all along, as he implies, why didn’t he take advantage of it? We would like to see him write up an article on how it all works, just to prove that Zibri knows all.

Thank you for your patience reading this. We will continue working hard on providing quality hacks and software, but please, to anyone who’s tempted, stop spreading bullshit about us and our work.

So I was catching up on the recent events of the morning and came across Zibri’s latest post. Hoping it would provide me some entertainment, I read it. I noticed something in his post that I believe is untrue and nothing anyone has to worry about so I decided to post it here and explain:

Zibri states in his latest status update:

“About the ’soon to be released’ hacks,
think about the playstation or online games;
you can crack them, but you won’t be able
to play online with legit buyers.

Now think: what is an offline iPhone?
A paperweight.
That’s what you’re gonna have
if (WHEN) apple decides to push a button.
And this time they will.”

To this, I want to speak. There is no way Apple can “push one button” and turn your phone into a brick. They cannot kick you offline either.  Shame on Zibri for trying to generate some panic amongst those that are not so technically inclined. This data is false please disregard it. It is impossible for Apple to kick you offline for any reason. They do not control the networks! So, please no one worry about this shinanigens.

The worst thing Apple can do is kick you off Appstore. And, to this, I say it is ridiculous. Apple is making a a fortune off you from Appstore and would never do something like this. Estimates say 30% of folks jailbreak their phone. They would never turn off 30% of potential sales. They haven’t kicked anyone off iTunes store for jailbreaking.

Anyways, I will be looking forward to the upcoming 2.0 jailbreak. You should be too.

Ziphone Warning

“But Ziphone works fine for me? Why should I avoid it?”

I hear this all the time. It’s simple. Ziphone does permanent changes to your phone. Zibri is a terrible coder that stole most the exploits for ZiPhone and did not create them. Zibri admits that he cannot code. Ziphone does work most of the time. But when it does not work, you are most likely left with an unfixable brick. Other jailbreak software such as iLiberty+, Pwnage, will not leave you with a brick. Everything they do can be reverted safely. This means if they fail on you, you just restore and try again. No harm done.

With ziphone, your damage is permanent. It’s a crap shoot. It may work 9 times out of 10, but on that 10th time that it fails out, you can expect to be purchasing a new iPhone. Sounds great right? Indeed, this is so common that the term “ziphoned” actually has meaning (a bricked phone caused by ZiPhone). Check out the google search on the term and see the problems for yourself.

If you have used Ziphone and your phone is currently working, you do not need to do anything. Just don’t use it again. The next time could be fatal. You’ve been warned!

Question:

Could you please elaborate on the permanent changes caused by Ziphone?
All unlocking/jailbreaking methods modify the phone in some way, at least they patch baseband, and pwnage patches bootloader.
I know that Ziphone downgrades the 4.6 bootloader to 3.9 (which has been thought to be permanent until pwnage came out), but so does iLiberty+, iDemocracy and any other unlock method that is not based on pwnage

Answer:

First off, iLiberty+ does not downgrade your bootloader by default. It downgrades you to 3.9 fakeblank which is easily reversible and not dangerous. This is not the same thing as 3.9 used by Ziphone! Ziphone downgrades the bootloader to 3.9 automatically. If this process fails, you’re done. This process considered so risky that Apple does not do any bootloader upgrades in their firmware packages! They could have put a stop to all the unlocks when 1.1.2 came out by having the 1.1.1 to 1.1.2 firmware upgrade upgrade old bootloaders to 4.6 but they considered this too risky and did not do it! Ziphone does it anyway.

Zibri has had so many releases that fix “type-o’s”. That’s just silly. The code is so sloppy and buggy. Some versions will unlock even when you did not ask it to resulting in a downgraded bootloader just on a request to jailbreak! Neat :(

Ziphone is also very dangerous because it does all the flashing (most risky part) during the first phase of the ram disk. During this phase, allocating too much memory can result in ram disk corruption. This is very bad. You want to minimize the amount of memory used as much as possible and you only care about stability. Ziphone doesn’t worry about this. Due to the technique used to boot the ramdisk, the memory is easily corrupted if you try to allocate too much of it. The result is that you are corrupting the very data that you are flashing!

iLiberty+, iPlus both use a smaller ram disk to flash. This minimizes the amount of memory used and takes great care to prevent memory allocations from corrupting the ram disk. Then these tools come back on a second pass to install payloads. This is done after the flashing is done where there is no risk.

As a result, several ziphone users have reported problems with no edge, no wifi, no bluetooth or a combination of the 3. In many cases this is unfixable. Zibri has added a wifi “fix” to his app which works sometimes, but this programs a bogus network address that is the same on every phone.