George Zhu’s BLOG

UPDATE: I got many problems after jailbreaking to 1.1.3:

EDGE is not working (solved)
Bluetooth can’t be paired (solved)
Settings can’t be saved (tested Mail and WiFi) (solved)
Ringtone muted (solved)

Other issues may not be posted here any more because the Official Jailbreak 1.1.3 has been released.

UPDATE: the above issues can be fixed as shown below:

Give rw permission to all files/folders under /var/root as:

chmod -R a+rw /var/root/*

NOTE: if you wanna use SSH public key authentication, the /var/root folder needs some tuning:

chmod 755 /var/root
chmod 700 /var/root/.ssh

Also, the private key file and authorized_key file must have permission 600. If you have any problem authenticating through public key, check the /var/log/syslog for possible issues.

Fix the preferences problem:

ln -s /private/var/preferences/com.apple.audio.DeviceSettings.plist /private/var/Preferences/.
rm -f /Library/Preferences
ln -s /private/var/Preferences /Library/Preferences

The ringtone files seem to be corrupted, copy all the ringtone files (from a good iPhone) over the upgraded iPhone, ringtone should work now, but the Marimba ringtone does not work.

UPDATE: the customized ringtones can be directly put into /Library/Ringtones, the customized wallpapers can be directly put into /Library/Wallpaper, but need to be renamed to XXX.png, where the XXX is a 3-digit number, I can even put JPG files (renamed to XXX.png) and it still works, interesting :) The first time to view wallpapers may be slow because SpringBoard trying to generate thumbnails for each new wallpaper, everything will be fine when it’s done.

UPDATE: the EDGE finally works, I manually created the rootfs, then used the ‘official jailbreak 1.1.3′ script to do the rest.

—

The firmware 1.1.3 jailbreak has been leaked by natetrue (author of iBrickr), I’ve just taken a few minutes to check how the jailbreak is done.

Afaik, previously every jailbreak uses some exploits to break into the system, for example:

Fake authentication server (DVD Jon’s method)
Fake certificate (iASign)
Symbolic link to rootfs (iPHUC, iNdependence)
Device inode to rootfs (iPHUC, iNdependence)
Tiff exploit (jailbreakme)

Obviously, Apple has been tracking these exploits and keeps fixing them in each and every firmware updates. But now the 1.1.3 jailbreak does not show any exploits, look at the following jailbreaking steps:

1. Extract the rootfs from firmware
2. Decrypt the rootfs using the decription key
3. Expand the decrypted rootfs for patching
4. Patch the rootfs
5. Upload the patched rootfs to iPhone
6. Replace the system partition with the patched rootfs

Every step looks pretty straight forward. Not like the previous jailbreaks, there isn’t any exploit shown in the 1.1.3 jailbreak, it’s just a manual (patched) operating system upgrade, without baseband update though. As long as the firmware can be downgraded, with the help of decryption key, it is always possible to do a manual upgrade like this. For example, the same trick can also be used to jailbreak the previous firmwares.

In fact, the 1.1.3 jailbreak is very similar to the 1.1.1/1.1.2’s, except in 1.1.1/1.1.2 the system partition is transferred through the serial interface while in 1.1.3 this is done in shell, both through the device inode though.

This jailbreak makes me recalling one of my articles HERE, the theory is the same, in that article (at the end) I tried to restore a 1.1.1’s image onto a 1.0.2’s firmware but failed, so I thought it’s not possible, but looks like I just need to try restoring a 1.1.x onto a 1.1.x :)

Nice job and congratulations to dev team and the community! This is not an official Dev Team jailbreak.

P.S. I’m gonna take a look at what has been patched/replaced during the patching procedure, I assume a filesystem comparison would reveal all the modified components.

UPDATE: seems like the upgrade.sh had small bugs, I manually executed the script line by line, and got the following issues during the upgrade:

1. mount had wrong options and never run successfully
2. fsck_hfs failed as well because the filesystem was not mounted as read-only
3. dd completed with an error

Even with the above errors, the iPhone still was upgraded to 1.1.3, lockdownd had been pactched, phone functions still work after upgrade because the jailbreak didn’t touch the baseband. Since fsck_hfs was not run successfully, the rootfs (/dev/rdisk0s1) might have errors, and I got some weird issues after jailbreak (maybe just bad luck).

I’ve modified the script and gonna give it a retry, hopefully it’ll run without any probmes this time. Restoration and retry take too much time, I should setup a local jailbreakme site.

UPDATE: I finally have everything sorted manually, the upgrde.sh needs to be slightly modified, all mount commands need to be changed as these:

mount -u -o rw /private/var
mount -u -o ro /

P.S. I didn’t use the upgrade.sh script in the 1.1.3 soft upgrade because I like the feeling of having everything in control, so I did the jailbreak manually. I generated the decrypted image and patched it manually, put extra tools I need (e.g. BSD Subsystem, SSH, and Term-vt100, etc) onto the image, then uploaded it through SSH to iPhone. I entered the command one by one to make sure they all get executed successfully (that’s how I found the bugs in the script), then boot to jailbroken 1.1.3. Since SSH requires host keys to start, I had to manually generate the keys:

ssh-keygen -f /etc/ssh_host_rsa_key
chmod 600 /etc/ssh_host_rsa_key

Brief Steps to Manually Jailbreak 1.1.3

The manual jailbreak is exactly the same as the jb113.dmg + 1.1.3 software upgrade, only all the steps are done manually so as to take control in each step.

1. Extract the 022-3743-100.dmg (rootfs) from 1.1.3 firmware

$ unzip iPhone1,1_1.1.3_4A93_Restore.ipsw 022-3743-100.dmg

2. Use vfdecrypt to decrypt the rootfs with the decryption key

$ ./vfdecrypt -i 022-3743-100.dmg -o decrypted113.dmg -k 11070c11d93b9be5069b643204451ed95aad37df7b332d10e48fd3d23c62fca517055816

3. Decompress the decrypted image using the bundled utility dmg2img (or do it manually on Mac)

$ ./dmg2img decrypted113.dmg expanded113.dmg

4. Patch the decompressed image

$ ./sdelta3 expanded113.dmg patch.sd3 > rootfs113.dmg

the patch expands the image size from 279520256 to 314572800 (the destination size on iPhone), then modifies some files (I haven’t compared the filesystems, so don’t know what was patched yet).

Mount the rootfs113.dmg on Mac, add any extra stuffs, now the image is ready. Save a copy so that you can easily repeat the jailbreak.

5. Create a folder /var/root/upgrade on iPhone, upload the image and essential tools into it:

$ scp rootfs113.dmg root@iphone_ip:/var/root/upgrade
$ scp cd mount mkdir ln chmod rm dd fsck_hfs reboot root@iphone_ip:/var/root/upgrade

6. SSH to iPhone and restore the rootfs113.dmg to system partition (/dev/rdisk0s1)

# cd /var/root/upgrade
# export PATH=/var/root/upgrade
# mount -u -o rw /private/var
# mkdir -p /var/db/timezone
# ln -s /var/db/localtime /var/db/timezone/.
# ln -s /var/root/Library/Keychains /var/.
# chmod a+rwx /var/root/Library/Keychains
# mkdir -p /var/Preferences
# ln -s /var/root/Library/Preferences/SystemConfiguration  /var/Preferences/.
# ln -s /var/root/Library/Preferences/csidata /var/Preferences/.
# rm -rf /var/mobile
# ln -s /var/root /var/mobile
# mount -u -o ro /
# dd if=rootfs113.dmg of=/dev/rdisk0s1 bs=1048576 count=300
# fsck_hfs /dev/rdisk0s1
# reboot

—

The upgrade packages used in this article (read and understand how it works before trying):

Nate’s Jailbreak 1.1.3 DMG
Patch for Upgrading from 1.1.1
Patch for Upgrading from 1.1.2
Post-Upgrade Script for Nate’s Jailbreak 1.1.3