Sunday, November 04, 2007

Hacking the iPod Touch - Part 1

my new (hacked) ipod touch
So now that I had a little time to play around with this cool gadget, I think its time that I shared some of fun in hacking the iPod Touch. But first a friendly government warning :

WARNING: Hacking gadgets is known to cause bricking and in some instances may even void your warranty. As a general rule assume you won't be able to upgrade your firmware in the future. If your doing this, do it AT YOUR OWN RISK!

Don't worry in reality its almost impossible to brick the device since you can restore it using iTunes. So if you're still with me then "welcome to a brave new world of hacking!". First let me explain how the iphone/ipod touch hack works in layman's terms.

TIFF Exploit

The key ingredient for performing the hack is around a bug discovered in libtiff, a library used widely to provide tiff image handling capabilities. This bug can be used to cause a buffer overflow, allowing arbitrary code to be executed. Such exploits can aid (in a good sense) to unlock a device which has been locked, limiting its functionality to what ever the device manufacturer wants it to do.

Before the iPhone, the PSP firmware 2.0 was also hacked using a similar TIFF exploit allowing third party home brew apps to be executed.

In the case of the iTouch, you would visit a site containing a specially crafted TIFF image vis the Safari mobile browser. This would crash the browser and execute the payload. What that code does is simply to remount the root file system with full read/write permission, enabling the browser to break out of the chrooted jail its running under - jailbreak. This is possible thanks to Apple running the browser as root (admin), something any one with a little sense of security would not do.

You can read more about the TIFF exploit here.

Jail breaking the Touch

Jail breaking the touch has been made so easy that even a 5 year old could do it. The easiest method which was released less than a week ago, requires you to just visit and click on a link. It will display a TIFF which will jailbreak the device, making it suitable for running third party apps, install a user friendly App installer app and finally patch the TIFF exploit so you won't be compromised in the future! If your a GNU/Linux user, this also means you no longer need to goto a Mac or Windows to Jail break.

There are also a GUI tools which can be run inside MacOSX (iJailbreak) and Windows (Touchfree).

But I used the almost manual method since I thought it would be more fun going through the steps. I used my Mac Mini (PPC) but there is also a how to for Windows (sorry not for GNU/Linux).

If everything went ok, you will now be able to install apps by launching the ifrom the SpringBoard interface. All you need is to be connected to the net.

What ever you install, you'll definitely want to install OpenSSH server (and even client), BSD Subsystem, DNS tools, SummerBoard.

In part 2 I will talk about some of the productivity apps and some other interesting apps that you can run. I'll also try to touch up on getting the Touch to work on GNU/Linux so that you can transfer music, videos and may be even photos (still trying to figure this out) without using iTunes.

If you can't wait... subscribe to my twitter blog for a near real-time update of what I'm upto.


Bud said...

New firmware (1.1.2) for the iphone is out. If you update you loose the ability to run home brew. As a good thing the new iphone firmware has a usb-disk mode so you can now mount it. I'm sure the new one will be hacked soon.

Sri Labs said...

Ipod Touch's newest firmware(1.1.2) has been hacked,but its not officially available.
But still in Sri Lanka that update isnt available :( anyways my touch works fine and used the both jailbreaking methods,(via jailbreakme)

Bud said...

yup sure has been :) there is a manual method over at You can manually download the 1.1.2 firmware and get iTunes to ask you to hand pick the ipw file.

But I still haven't found a compelling reason to upgrade, given the hassle of backing up my data. Only if they had the USB disk emulation, i'd upgrade in a flash!

Bud said...

For unlocking the iphone, I was told this HOWTO to be accurate.

RabbitSeason said...

please is there a new or easy way to check for wifi greyED out ipod touch 1g 3.1.3. to is 10.13.2011
rick p

RabbitSeason said...

Any new post on IPOD TOUCH 1G . have read alot . Hard to get any the tools. I did get alot of firmware saved. only NOT the

3.1.2... so i'm working with 3.1.3.

i used cydia in the passed