
Key iPhone Source Code Gets Posted Online - tonyztan
https://motherboard.vice.com/amp/en_us/article/a34g9j/iphone-source-code-iboot-ios-leak
======
blueish
Here's the link to the github repo, since the article didn't mention it:
[https://github.com/h1x0rz3r0/iBoot](https://github.com/h1x0rz3r0/iBoot)

~~~
geowwy
I'm surprised it hasn't been taken down yet

~~~
jumelles
At least one has:
[https://github.com/ZioShiba/iBoot/tree/master/docs](https://github.com/ZioShiba/iBoot/tree/master/docs)

~~~
nerdponx
GitHub seems like an odd place to post this kind of thing. I would have
expected an IPFS link, or an I2P torrent, or something like that.

~~~
peterburkimsher
The article says that it was first posted on Reddit, but nobody noticed for a
while. The Github copy is almost certainly a repost, by a different author
than the original leak.

"This source code first surfaced last year, posted by a Reddit user called
“apple_internals” on the Jailbreak subreddit. That post didn’t get much
attention since the user was new and didn’t have enough Reddit karma; the post
was quickly buried. Its new availability on GitHub..."

~~~
niutech
This is the original Reddit post from Sep 22, 2017:
[https://www.reddit.com/r/jailbreak/comments/71p5qs/newsiboot...](https://www.reddit.com/r/jailbreak/comments/71p5qs/newsiboot_bootrom_ibss_ibec_illb_source_codes/)

------
evv
[https://github.com/h1x0rz3r0/iBoot/tree/master/include/drive...](https://github.com/h1x0rz3r0/iBoot/tree/master/include/drivers)

Now that these drivers have been leaked, would it be possible to run Linux on
old iPhones? From my understanding, the main reason it couldn't be done is
because nobody had access to the driver source code, and now..

~~~
dsl
It looks like just the headers, not the actual source code.

Also iBoot is basically the "BIOS" of the phone. Just enough to get it up and
running and then load iOS into memory and kick it off, so it wouldn't have
drivers for things like the touch screen or accelerometer for example.

~~~
kyrra
[https://github.com/h1x0rz3r0/iBoot/blob/master/platform/s5l8...](https://github.com/h1x0rz3r0/iBoot/blob/master/platform/s5l8945x/pmgr/pmgr.c#L360)

I'd disagree, this includes source code.

~~~
revelation
For power management and sequencing chips. Like a BIOS would.

There are no interesting drivers there.

------
monocasa
> in 'Biggest Leak in History'

IDK, the Win2K source leak was pretty big.

~~~
sgillen
The author of the quote may have meant biggest leak in Apple's history, which
it may well be.

As for biggest leak in history, maybe the shadow brokers leak of all those NSA
tools? I'm not sure if anything huge resulted from the Win2k leak but I'm not
too informed about it.

~~~
JKCalhoun
1989, "Nu Prometheus League", I believe the Macintosh ROM's source was leaked:

[http://www.nytimes.com/1989/11/20/business/us-inquiry-
into-t...](http://www.nytimes.com/1989/11/20/business/us-inquiry-into-theft-
from-apple.html)

~~~
exikyut
I take it this isn't really floating around out there. :(

------
codemusings
From the source_layout.txt in /docs:

    
    
      ...
      
      /arch/arm
              ARM-specific code.
      
      /docs
              Optimisim.
      
      /drivers
              Portable drivers and driver infrastructure.
      ...
    

There's more documentation in this folder than most projects have :)

~~~
stfwn
From the IO Spreadsheet Standard document (in /docs):

"This document describes the format of the I/O Spreadsheet for iOS Products.
(...) The I/O spreadsheet shall be sheet in an Excel workbook."

Numbers? Nope, Excel.

~~~
thesmok
I've tried to use Numbers for technical stuff and found it too unreliable. A
big surprise was when I filtered the spreadsheet by column values so only a
subset of rows were visible, then selected a range of rows in that subset and
deleted them. When I disabled the filtering I found that it also deleted rows
in that range that were hidden.

------
elevated
All the GitHub repos seem to have been hit with DMCA takedowns, so here is a
mirror:
[https://0xacab.org/sizeofcat/iBoot](https://0xacab.org/sizeofcat/iBoot)

------
dsl
In the docs directory there is a guide to fuzzing. On the plus side, from my
initial read, it looks like most of the important stuff has fuzzing harnesses
already which means the code should be free of most low hanging security bugs.
It also means that with the harnesses already in place, it will be easy for
outsiders to just throw a ton of compute at it and possibly find some of the
deeper issues.

~~~
virgilp
You mean, more tons of computing than Apple can afford?

~~~
CodeWriter23
You mean, more tons of computing than Apple has already thrown at the problem?

------
blowski
How does something like this get leaked? A rogue Apple developer?

~~~
jchb
Just totally speculating here, but there are some class action suites
regarding the Apple battery debacle. Maybe they had to provide source code as
part of pre-trial discovery, and it got leaked that way?

~~~
eddyg
This was released on reddit[1] back in September of 2017 and is not related to
any battery lawsuits.

[1]
[https://www.reddit.com/r/jailbreak/comments/71p5qs/newsiboot...](https://www.reddit.com/r/jailbreak/comments/71p5qs/newsiboot_bootrom_ibss_ibec_illb_source_codes/)

------
TheEnder8
The newest copyright on any file is 2015. The source code might be quite old.

(Yes, I realize that a copyright header doesn't actually stay in sync with
patches. It's just the only indicator of date there is)

~~~
deckard1
There are a few references to 2016. There is also a target/iphone8 folder.
Don't see any reference to iPhone X though.

~~~
kalleboo
"iphone8" might not be a reference to a product name but the internal model
numbers "iPhone8,1"/"iPhone8,2" which are the 6s and 6s Plus (released in
2015). The iPhone 8 model number is "iPhone10,1"

edit: there appears to be a reference to "N66" in init.c, which is the
codename for the 6s

------
okket
Unless there are encryption keys hidden in source code that I can't find, I
fail to see the implications of this leak.

~~~
bitwise-evan
It is much easier to find security vulnerabilities if you have the source
code.

~~~
tinus_hn
Better switch the Linux servers to Windows then

~~~
taspeotis
The source code for Windows is available if you meet certain requirements:
[https://www.microsoft.com/en-us/sharedsource/](https://www.microsoft.com/en-
us/sharedsource/)

------
rambojazz
How to confirm it's not a farce but the actual source code? I could post
anything, whatever, and say "this is iBoot leaked".

~~~
loeg
[https://twitter.com/supersat/status/961480792483381248](https://twitter.com/supersat/status/961480792483381248)

~~~
ikeboy
I was involved with a case earlier this week with Apple making a false IP
claim under penalty of perjury, they don't seem to care too much. Have heard
from others who've been bullied by them as well.

Look up HARD2FIND ACCESSORIES INC v. AMAZON COM INC APPLE INC for another
instance of them abusing IP claims.

~~~
jmull
I looked that case up...

Doesn't it show the opposite of what you claim?

Hard2find's suit against Apple and Amazon was dismissed with prejudice and
that decision was confirmed on appeal.

~~~
ikeboy
They ruled that Apple had immunity, which is not the same as finding that
Apple didn't lie.

~~~
jmull
Well, they ruled Apple had immunity because their petition could not be
construed as a sham. Also, they ruled there were no facts to support the
Apple/Amazon conspiracies the plaintiff suggested AND ruled there wasn't even
any hope that such facts could be supplied where the suit to be amended.

Whatever lie you think Apple is guilty of, there doesn't appear to be any sign
of it amongst the material of the suit. Going to court is expensive and time-
consuming, so I presume that if such facts were available, the plaintiff would
have used them.

You can believe whatever you want, but it seems like you'll have to do it
despite the absence of supporting facts, at least in this case.

~~~
ikeboy
I don't think the court ended up considering the main point, which is that
Apple had no evidence that H2F's units specifically were fake.

~~~
jmull
Wait a sec... _you_ cited this case. If it doesn't actually address your main
point then why reference it?

You're making pretty strong claims but are providing links to back it up that
don't actually back it up. I don't see why anyone would take what you're
saying seriously.

~~~
ikeboy
It shows Apple making an IP claim containing false allegations.

Like I said, the fact that they weren’t found to be legally liable for that is
not relevant to the point I’m making, which is that they lied in an IP claim.
Apple retracted the claim, as mentioned in the original complaint. They may
have immunity under free speech doctrines for lying, but that doesn’t change
the fact that they lied.

To be clear, the court didn’t make a decision either way on whether Apple
lied. I am saying that they lied, based on the fact that they filed a
complaint without basis or with flimsy basis (reviews that were not tied to a
seller), and that I know of several other instances of Apple doing the exact
same thing, I know some people were considering a class action against Apple
for this last year. It’s just really hard and expensive to go up against Apple
or any large company in court, so they are getting away with it.

------
NietTim
Anyone have a clue what the 'thunderbolt'/'thunderboot' driver is? Almost
seems like they have proprietary thunderbolt cables for developing this or
something? Relevant files:
[https://github.com/h1x0rz3r0/iBoot/tree/master/drivers/thund...](https://github.com/h1x0rz3r0/iBoot/tree/master/drivers/thunderbolt)

~~~
ea016
Some macs have the ability to load OSX from network or from an external hard
drive. It might be the same on the iPhone

~~~
acdha
Thunderbolt could allow direct memory access which would be really useful for
low-level debugging early in the boot process before higher-level tools are
available.

------
solarkraft
Does this have any real implication for iPhone hacking?

~~~
qrbLPHiKpiux
Yes, any leak does.

------
stuntkite
Does this mean Jailbreaking might be a thing again? I've been wanting to use
some iOS devices (like 6 and newer) for some projects and now jailbreaking is
super dead. I am not an embedded wizard, but I think it's pretty hard to get a
new bootloader on an iOS device currently. Does anyone have better info on
that?

~~~
kiliankoe
Wasn't an iOS 11 jailbreak announced just the other day? I don't think the
scene is dead at all, it's just that many of us who once used jailbreaks on
every iOS version no longer do and don't follow those news anymore.

~~~
imron
There's also the fact that if you have an exploit for a recent iPhone, that
can sell for upwards of a million dollars (edit: $1.5 million for a remote
jailbreak with persistence:
[https://www.zerodium.com/program.html](https://www.zerodium.com/program.html)).

If you have the capabilities to hack the iPhone you are then faced with a
question - do you release it for free or do you sell it for a million dollars.

A million dollars is life changing enough that many hackers will take that
option.

~~~
zie
You presumably could do both, sell it for a million dollars, and then send an
email to apple as well. I'm sure the terms of the sale stipulate you can't
share it with anyone else, but if you can hack the iPhone but can't figure out
how to send anonymous email to Apple, you are doing something wrong.

~~~
imron
According to zerodium's faq, there are bonuses for exploits that meet specific
lifespan requirements.

------
lorenzofb
Here's the story behind the leak:
[https://motherboard.vice.com/en_us/article/xw5yd7/how-
iphone...](https://motherboard.vice.com/en_us/article/xw5yd7/how-iphone-iboot-
source-code-leaked-on-github)

------
EatonZ
Interesting:
[https://github.com/h1x0rz3r0/iBoot/blob/master/apps/iBoot/bo...](https://github.com/h1x0rz3r0/iBoot/blob/master/apps/iBoot/boot.c#L56)

~~~
amorde
Looks like it just stands for "find boot images", given the name of the
function...

~~~
EatonZ
Probably, still spooky to see that there!

------
moon4u
Could a potential jailbreak be used to unlock an iphone?

------
singularity2001
where's the mirror?

~~~
wafflesraccoon
Here you go
[https://0xacab.org/sizeofcat/iBoot/](https://0xacab.org/sizeofcat/iBoot/)

------
flyGuyOnTheSly
If true, this will be the catalyst to Apple stock tanking this morning... and
possibly the entire US stock market.

IT Security is serious stuff.

~~~
voltagex_
Why? Don't overreact.

~~~
flyGuyOnTheSly
We're already on pretty shaky ground... biggest Net Change drop in DOW Jones
history just happened 3 days ago.

~~~
saagarjha
…which was completely unrelated to this at all?

------
Froyoh
"This document may not be reproduced or transmitted in any form, in whole or
in part, without the express written permission of Apple Inc."

------
sigzero
I hope the poster is caught and thrown in jail.

------
murukesh_s
Can we figure out where they are putting the 'code' to slow down the older
phones? If we can figure it out it could be a big shame for Apple, if any..

~~~
saagarjha
Maybe the fact that nobody has found it yet means that it doesn't exist? The
"code" behind battery throttling as already been found (as in, it's been
disassembled).

------
bob_theslob646
How hard will it be for Apple to patch this?

~~~
eridius
To patch what? This isn't a vulnerability. This is leaked source code. Apple
can file takedown notices to GitHub since they own the copyright but people
can always post it somewhere else.

~~~
bob_theslob646
That is what I thought. I apologize for the stupid question.

~~~
skygazer
No need to apologize. This source, which Apple intended to stay private, may
(or may not) still reveal exploitable vulnerabilities, which would need to be
patched, if they exist, but it's not immediately obvious either way.

