Donations Sent To Red Cross

Although I’m eager to own a MacBook Pro and have been saving for it, and I’m accepting donations for it as well, I feel people in Wen Chuan County (Sichuan Province) who have suffered huge loss in the recent earthquake (happened on May 12) need more support, so I have donated the donations I have received so far to China’s Red Cross Organization.

A big “Thank You!” to all the people who have donated:

Anestis Georgiadis
Neil Baldwin
Oktay Oeztueter
Eddy Tjondronegoro
Abner Cesaire
Severo Acevedo Ceballos
Terje Saether
Angel Barra Madrigal
Velimir Ljubic
Patrick Van Glabeke
Youssef Francis
Robert Olson
Lou Bragg
Rob Raab
Spyros Sklavos
Wing Yeu Michael Wu
David Perez

Snapshots from various forums:

Read More »

Forty Is Too Old To Do Software Development ?

ABSTRACT: This article complains the restriction in age while looking for a job on software development in China. In short, if you’re over 40, it’s going to be a nightmare if you want to look for a software development position. The article is written in Chinese.

原来四十岁搞软件开发的人这么难找工作

不试不知道, 招聘软件开发的公司对年龄的要求实在是有些奇怪, 对40岁的软件开发人员来说再就业实在是件困难的事情. 由于公司转型, 我最近失业了, 本来以为凭着多年开发的经验, 找个高级软件开发的工作应该不是问题, 实际上却完全不是这么回事.

先是准备好简历, 然后到前程无忧和其他招聘网站找软件开发的职位, 看起来似乎很多合适的位置, 只不过有个潜规则:

一般对于软件开发来说, 35岁以上的应聘者不考虑.

这下就有些尴尬了, 一方面很多公司要求应聘者有多年从事软件开发的经验, 另一方面又要求年龄不能大于35岁. 经验是靠积累的, 没有一定年份的开发, 又哪里来经验, 经过多年开发的人年龄又怎么会小. 应聘的人员如果是真正有经验的年龄也该接近那个35岁底线了, 如果照这样评判的话, 实际上在公司里根本就干不了几年的, 那么公司又怎么样保证开发队伍的基本稳定.

之前因从未真正在招聘市场打过滚, 都是经介绍应聘的, 所以也不知道应聘原来还有这个年龄的坎. 从我实际的经历来看, 这个35岁的界限是肯定存在的, 尽管很多招聘单位没有写明年龄要求, 但是在察看简历的时候第一件事肯定是看年龄的, 大家似乎有这样一种”共识”: 都40岁了还写程序, 估计水平肯定好不了, 不然早当项目主管了. 殊不知, 有些人就是喜欢干这种技术活, 就像当年Peter Norton一样, 宁愿卖掉公司, 回去继续干自己喜欢的软件开发.

对于年龄的限制这一点可以通过一个实验得到证实. 假如把年龄改到30岁, 去应聘一个高级软件开发职位就非常容易, 几乎个个都有面试的机会; 而如果年龄写成40岁, 那么基本上连面试的机会也不会有了.

从我失业到现在也有1个月了, 之间只经过2次面试, 第一次是经介绍的, 不过对方单位希望找的是管理类的人才, 而我感兴趣的是高级软件开发, 答非所问, 所以结果就不乐观了; 第二次是表面上看起来都没有问题了, 经过HR和技术经理的面试都合格了, 却依然杳无音信, 现在回想起来就是年龄的问题了, 因为当时最后的时候那个HR的曾经说过一句:”哦, 你是87年毕业的啊”, 估计是把我年龄想错了, 因为我简历上只写了最近10年的经历, 她可能误认为我是97年毕业的了.

真是不明白, 难道40岁以上的就不能搞软件开发了?

gzDecryptor, A Small Firmware Tool

UPDATE: In firmware 2.0.5A258f, the ramdisk is no longer a 8900 file, it’s just a normal ramdisk (slightly prepended/appened), so this tool will not work (currently) on 2.0.5A258f has been updated to support the latest firmware 2.0 5A258f. UPDATE: Works on 5A274d as well.

UPDATE: Fixed a bug that causes decryption failure if there are spaces in path/filename.

UPDATE: Added a routine to fix the generated DMG.

This is a small tool to simplify some firmware related jobs. Normally, you will take the following steps when you’ve got a new firmware:

1. Decompress firmware
2. Decrypt ramdisk
3. Extract rootfs decryption key
4. Decrypt rootfs
5. Extract important files

If you are on Mac OS X, you are lucky because you can easily find all the needed tools for the above jobs, and you can write an easy wrapper script to automate these jobs, but on Windows, there seems no such a tool yet, that’s why I write this small tool, gzDecryptor, check the following snapshot:

Read More »

First Chinese Handwriting IME On iPhone

Chinese mobile device users must know HWPen, a famous Chinese handwriting IME, it’s a very good input method, and offers the easiest Chinese input experience on a mobile device. Before I switch to iPhone, my favorite mobile phone was Dopod, and I always use HWPen as my first choice for Chinese input on my Dopod.

Ever since I switched to iPhone, I found I was in a situation that there’s no handwriting IME for me to input Chinese, so my favorite Chinese input method became iCosta Pinyin, a small and fast IME. I even wrote an article about it several weeks ago (check This Link) and analyzed some of the technique behind it. Basically, it overrides some system calls to implement the Chinese input.

The situation is changing, now HWPen has come to iPhone, as a former supporter I of course gave it a try. I downloaded the package (HWPen.zip) and extracted it, there’s no executables in it, so I was not expecting an application to setup parameters/environment for it, a quick check on its installation plist showed it interposes the libHWIME.dylib before SpringBoard is loaded, so it uses the similar technique just like other IMEs (e.g. iCosta). The scan on libHWIME.dylib showed it utilizes Korean keyboard, so it’ll not conflict with other IMEs that also use internal keyboards because other IMEs often utilize Japanese keyboard.

Read More »

New Features In Firmware 2.0 Build 5A240d

I’m usually not interested in betas, but I’m boring today, so I decided to give 2.0.5A240d a try and see if there’s interesting changes in it. So I restored with iTunes then activated it. Since I’m not interested in using it, so I just looked around trying to find out what’s new, the following is what I found:

Better Chinese Support

In old versions, when you switch to Chinese, you won’t notice any differences in GUI until you put the Chinese resource files into proper folder. But in 2.0 these resource files are bundled, when I try switching to Chinese, the SpringBoard and related settings immediately switch to new language.

MobileMail

In 2.0, MobileMail seems supporting more encodings. In old versions, it always uses UTF-8 encoding, so some mails written in other encodings (e.g. GB2312) are not readable, this has changed in 2.0. Now MobileMail correctly detects my GB2312-encoded mails.

SIM Contacts

Now you can import contacts from SIM into iPhone, but there seems no export function. The import function is in Settings -> Phone.

Parent Control

There’s a new item in Settings -> General, the Parent Control. You can control iTunes, Safari, YouTube, iTuneStore and App Store.

Others

There’re some minor changes in Settings.

2.0版固件的改进及新增功能

今天闲来无事,决定试试新版的固件(尽管拿到手很久了,但是从来没有兴趣装,因为对Beta版不是特别感兴趣)。虽然2.0版固件迄今还没有正式发布,不过从内部测试版本通常也能看出一些发展趋势来,于是立即动手把机器升级到了2.0版,因为没打算实际使用,所以仅仅随便看了看,连解锁都没有进行,只是看了看SpringBoard部分,不过还是让我看到了一些让人感到高兴的改进。

改进一: 多语言环境

在之前的版本中,即使切换了语言环境,仍然需要自行提供相应的语言包,才能在SpringBoard等处看到中文。在2.0中,资源文件已经随带了,一旦切换语言环境,相应的菜单,界面等立即同时切换语言,这下彻底省去了所谓的“汉化”工作了,相信不少人会感到非常高兴。

改进二: 邮件程序

之前版本的MobileMail在读取邮件时都是使用UTF-8识别邮件编码的,因此对于使用其他编码的邮件往往显示乱码,相信国人对GB2312中文乱码邮件一定不陌生。而在2.0中,这个问题似乎已经解决了,现在终于可以自动正确识别出编码了,GB2312中文邮件显示不再是让人头痛的问题。

改进三: 联系人

在2.0版固件的电话设置部分多了一个功能,就是将SIM卡联系人导入iPhone,再也不需要专门的软件来导入了,不过没有看到导出联系人到SIM卡的功能。

改进四: 家长控制

现在多出来一个家长控制配置,老外好像特别关心孩子,很多软件都有家长控制这个功能。

2.0或许还有其他的重要改进,不过我不是很关心,所以也就不再继续钻研了,相信等正式版出来一定会有惊喜的。

Geohot Linux Driver And iBooter

You may have known that I took some time reversing iBooter, trying to find out the magics behind it. After reading Geohot’s iPhone USB Linux Driver and client sample code, compared with what I have found by reversing iBooter, I have to say I feel a little disappointed about iBooter. It’s just a wrap to Geohot’s code, and there’s no secret behind it.

I’ll try to explain here what iBooter has done to Geohot’s code. The best way to explain is an example, let me start from the very beginning of the program: the main, be prepared, this is a long post :)

Snippet 1: main entry

In Geohot’s client code:

	FILE *ipk;
	drvcmd *send=malloc(sizeof(drvcmd));
	drvcmd *rcv=malloc(sizeof(drvcmd));
	send->constant=0x1234;
	send->size=0;
	send->unknown=0;
	char line[8192];
	int rcvd,rcvdmax;
	send->cmdcode=0x0;
	hexdump((unsigned char *)send, sizeof(drvcmd));
	sendctrl(send, rcv);
	hexdump((unsigned char *)rcv, sizeof(drvcmd));
 
	usleep(200000);
	readusb();

Read More »

Recover From “BSD Root: md0, major 2, minor 0″

Some people might have had a problem when their ramdisk boot was not successful. This happens in some rare cases, the ramdisk has been uploaded but for some reason the phone didn’t boot, and you turn it off manually, or your computer had a power failure during the ramdisk boot. In such rare cases, your phone may end up with an endless message:

BSD Root: md0, major 2, minor 0

The reason this happens is because in the above situations, ramdisk image has been written to phone’s memory, and phone has been told to boot from memory, but when you boot the phone manually, the ramdisk image no longer exists in memory, so the boot from memory will definitely fail.

UPDATE: Take the following steps to put phone back into recovery mode first:

1. Make sure phone is connected to computer, and is displaying “BSD Root: md0, major 2, minor 0″
2. Disconnect phone from computer
3. Power off phone
4. Press and hold Home button, connect phone to computer (don’t release Home yet), it’ll start booting
5. Wait till phone displays iTunes + USB cable icon, you may release Home now

At this point, you have several choices:

Choice 1. Continue from last failure point
Choice 2. Give up old process
Choice 3. Use other tools
Choice 4. Restore phone

Choice 1: Continue from last failure point

To continue from the last failure point, fire up iLiberty+ and “Go for it” without selecting any payloads (except Jailbreak), it’ll pick up the old payload you have uploaded in the last failed process, and execute it.

Choice 2: Give up old process

You should know that the payload you have upload is still there at this point, if you don’t want to continue it, you have to tell iLiberty+ to remove it. Take these steps to make it:

1. Fire up iLiberty+ and “Jump Out of Recovery Mode”
2. Select at least one payload (besides Jailbreak) and “Go for it”

Choice 3: Use other tools

If you wanna use other tools, you may have to get phone back into normal state (depending on the tool you’re going to use), you may use a tool that supports serial commands to get phone back to normal state, e.g., iLiberty+, iPHUC, etc.

To use iLiberty+, press Jump Out of Recovery Mode button.
To use iPHUC, issue the following commands:

(iPHUC Recovery) #: cmd setenv boot-args “”
(iPHUC Recovery) #: cmd saveenv
(iPHUC Recovery) #: cmd fsboot

Wait for a few seconds, it’ll kick phone back into normal mode.

Please remember, although your phone has come back to normal state, the payload you have uploaded during the last process has not been removed, so you’ll notice some space lost depending on what payloads you have selected. To remove the payloads manually, go to /var/mobile/Media folder and remove payload.zip.

Choice 4: Restore

Fire up iLiberty+ and press Enter DFU Mode button to put phone into DFU mode, then use iTunes to restore it.


The following are the old contents which do the similar thing as describe above

The way to bring phone out of the above situation is simple, I can think of 3 ways:

Method 1: Use iLiberty+ “go for it” without any options (except Jailbreak) checked.

Method 2: Boot with another ramdisk and set back the booting parameter so that phone won’t try to boot from memory next time.

Method 3: Restore with iTunes.

Read More »

Frequently Asked Questions for iLiberty+

Q: Is iLiberty+ free ?
A: Yes, absolutely. UPDATE: Some people reported they bought iLiberty+ from some site, I can only say you were cheated, I didn’t sell it, I have nothing to do with any of the sites that are selling iLiberty+, and I don’t offer any technical support for any of them.

Q: Who has developed iLiberty+ ?
A: For Windows version, I and aviegas are the developers. For Mac OS X version, francis and pepijn are the developers.

Q: Where can I download iLiberty+ ?
A: Check This Link.

Q: What are the differences between iLiberty+ and other silimar tools ?
A: Refer to This Article.

Q: Do I have to check all options in a run ? What if I missed one ?
A: No. iLiberty+ is designed with flexibility in mind, the payload is designed carefully to be independant, although some special payload (e.g. BL upgrade payload) may have different behaviors when a specific payload is also checked. So if you forgot to check a payload, just check it and give it another go. You don’t need to check those already done payloads, just check the missing ones.

Q: May I run iLiberty+ for multiple times ?
A: Yes. iLiberty+ is safe to be run for multiple times. In fact, it is specifically designed to support this. There’s one simple rule to obey though, don’t check the payloads that have already been done in the past runs. That is to say, if you wish, you may check one option, go for it, and then check another option, and repeat the same procedure, till all your payloads have been run.

Q: If iLiberty+ is safe to be run for multiple times, why shouldn’t I check the same options for more than once ?
A: Well, although iLiberty+ itself has no problem running for multiple times, some payloads might have side effects. For example, suppose you want to unlock a phone with GeoIPSF method (there’s no such a payload at the time this article is written), you need to backup original seczone, this is not a problem for the first run, but if you run the payload for a second time, you can’t retrieve the original seczone because NCK token has been zero’d out in the last unlock. So, to avoid side effects, please don’t check to run the same payloads for more than once (most of the official payloads have no side effects in multiple runs though).

Q: How do I write my own payload ?
A: Please refer to This Article

Q: How do I host my own payload repo ?
A: Please refer to This Article to create a plist file for your payloads.

Q: Can I install my own payload without a repo ?
A: Yes. Just put your payload files (.sh + .zip) into payload folder under iLiberty+ installation folder.

iLiberty+ Repo Plist Format

From version 1.3.0, iLiberty+ starts to use plist to manage the payloads, this makes its much more easier to update a payload whenever needed.

The repo plist is a standard Apple plist file, each dict item describes a payload, here’s the format:

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>payloads</key>
        <array>
                <dict>
                        <key>Id</key>
                        <string>com.zjlotto.iLiberty.FlashBBTo040313</string>
                        <key>Name</key>
                        <string>Reflash baseband to version 04.03.13_G (BL3.9 only)</string>
                        <key>Author</key>
                        <string>George Zhu</string>
                        <key>Version</key>
                        <string>1.1</string>
                        <key>Script</key>
                        <string>http://iLiberty.zjlotto.com/Payloads2/01BL39BasebandTo040313.sh</string>
                        <key>Pack</key>
                        <string>http://iLiberty.zjlotto.com/Payloads2/BL39BasebandTo040313.zip</string>
                        <key>URL</key>
                        <string>http://george.insideiphone.com/</string>
                        <key>Desc</key>
                        <string>This payload reflashes baseband (from up to 04.04.05_G) to version 04.03.13_G. This payload requires bootloader 3.9.</string>
                </dict>
                <dict>
                    <key>Id</key>
                    <string>another.identifier</string>
                    <key>Name</key>
                    <string>another payload</string>
                    ....omitted...
                </dict>
                ...omitted...
        </array>
</dict>
</plist>

You may add multiple repo into iLiberty+, each repo occupies one line, they’ll be scanned one by one when you press the Refresh button. The default repo (if you don’t set any repo, the default one will appear) is:

http://iLiberty.zjlotto.com/repo.plist

Read More »

Detect The Recovery Device Using LibUSB

UPDATE: I should have read Geohot’s driver code earlier, the secrets to USB communication with iPhone in recovery mode is right inside the code. Thanks timschuerewegen’s comment which drives me to read Geohot’s code and it does help. This article seems dumb if you have read Geohot’s code, but at least it shows you how I reverse the code to analyze and learn before I read the actual source iBooter uses to access the device.

UPDATE: I’ve figured out how to handle recovery mode using Apple iBoot USB Driver, Geohot’s driver is a very good starting point to learn for beginners. I’ve written a dirty class to handle it, here’s a snapshot of my test program which uses LibUSB to access Apple iBoot USB Driver:

Source code for is available: HERE (there might be bugs in code)
NOTICE: The GUI uses Raize Component Suite so you will not be able to compile it if you don’t have this component, but it’s easy to write your own GUI using the included unitIUSB class.

Read More »