Hacker News new | past | comments | ask | show | jobs | submit login
Key iPhone Source Code Gets Posted Online (vice.com)
261 points by tonyztan on Feb 8, 2018 | hide | past | favorite | 112 comments

Here's the link to the github repo, since the article didn't mention it: https://github.com/h1x0rz3r0/iBoot

Source live as of now: https://0xacab.org/sizeofcat/iBoot

I'm surprised it hasn't been taken down yet

GitHub seems like an odd place to post this kind of thing. I would have expected an IPFS link, or an I2P torrent, or something like that.

The article says that it was first posted on Reddit, but nobody noticed for a while. The Github copy is almost certainly a repost, by a different author than the original leak.

"This source code first surfaced last year, posted by a Reddit user called “apple_internals” on the Jailbreak subreddit. That post didn’t get much attention since the user was new and didn’t have enough Reddit karma; the post was quickly buried. Its new availability on GitHub..."

This is the original Reddit post from Sep 22, 2017: https://www.reddit.com/r/jailbreak/comments/71p5qs/newsiboot...

There’s lots of stolen shit on github, including (as of a few months ago) the Windows 2k3 kernel.

I’m not surprised by this leak. I am surprised more people aren’t aware of this.

Damn, too late to see this. Dead already.


Now that these drivers have been leaked, would it be possible to run Linux on old iPhones? From my understanding, the main reason it couldn't be done is because nobody had access to the driver source code, and now..

We've been able to run Linux on old iPhones for quite a while now, as can be noted from the defunct iDroid project, which managed to successfully port the Linux kernel and Android userspace to the iPhone 2G, 3G, 3GS, and 4 using OpeniBoot. However, this is quite a nice advancement for those of us in the emulation community.

Disclaimer: I'm working with some other team members on the revival of the iEmu iPhone emulator.

> However, this is quite a nice advancement for those of us in the emulation community.

It won't be if you taint what you are working on. Just looking at this will cause lots of legal problems down the road.

Don't Touch. Don't Look. Don't Think. Don't Breathe.

That will keep you safe.

Practically speaking, yes. But these drivers would never be merged into the mainline kernel as the source code was obtained illegally. Writing a Linux driver from scratch on the basis if this code would still mean huge legal problems for the Linux kernel.

Surely this code would be useful to a clean room design though?

I.E. someone looks at the leaked code and writes a specification, then posts/shares that spec, and another person or team uses the spec to write a compatible driver without having looked at the leaked source code.

I don't think so. The only thing you're allowed to do is stuff like Wireshark, where you observe the behavior and not the actual code.

Pretty sure that's not true -- I believe you just have to make sure that only a spec gets "thrown over the wall", and no descriptions of implementation or architecture.

Hijacking your post to add link to the repo that's not DMCAd https://0xacab.org/sizeofcat/iBoot/

It looks like just the headers, not the actual source code.

Also iBoot is basically the "BIOS" of the phone. Just enough to get it up and running and then load iOS into memory and kick it off, so it wouldn't have drivers for things like the touch screen or accelerometer for example.


I'd disagree, this includes source code.

For power management and sequencing chips. Like a BIOS would.

There are no interesting drivers there.

I was referring to the directory the grand-parent referred to. Of course there is source in other places.

There's also a /drivers directory which seems to contain source files for many of the /include/drivers header files.

> in 'Biggest Leak in History'

IDK, the Win2K source leak was pretty big.

The author of the quote may have meant biggest leak in Apple's history, which it may well be.

As for biggest leak in history, maybe the shadow brokers leak of all those NSA tools? I'm not sure if anything huge resulted from the Win2k leak but I'm not too informed about it.

1989, "Nu Prometheus League", I believe the Macintosh ROM's source was leaked:


I take it this isn't really floating around out there. :(

I don't know, Apple had all the source code to GS/OS leak a few years ago. Now _that's_ serious!

Wasn't that one a partial leak stripped of some interesting bits?

Nothing significant was missing.

For some reason the press relayed the news as "Windows NT and a small portion of Windows 2k source code were leaked". This was false, possibly started my Microsoft itself to downplay the scope of the leak. Virtually everything was there. Some people built it and booted it up.

I did some research [0] and I cannot find anyone claiming that more than ~15% of the Win 2k source code was available.

People are able to build and boot Win NT, not Win 2k.

[0]: https://www.betaarchive.com/forum/viewtopic.php?f=61&t=33250...

There was a third leak, circa 2003, the Windows Research Kernel, which is what you'd get if, say, you had an academic license as part of a university or something.

That one you could very much build and alter.

Windows NT 4.0, yes. But 2000 would surprise me. To my knowledge, at least the product key handling was missing.

From the source_layout.txt in /docs:

          ARM-specific code.
          Portable drivers and driver infrastructure.
There's more documentation in this folder than most projects have :)

From the IO Spreadsheet Standard document (in /docs):

"This document describes the format of the I/O Spreadsheet for iOS Products. (...) The I/O spreadsheet shall be sheet in an Excel workbook."

Numbers? Nope, Excel.

I've tried to use Numbers for technical stuff and found it too unreliable. A big surprise was when I filtered the spreadsheet by column values so only a subset of rows were visible, then selected a range of rows in that subset and deleted them. When I disabled the filtering I found that it also deleted rows in that range that were hidden.

With the pushes Microsoft has made in the past few years at making office significantly better on Mac, I'm not surprised.

I like /docs: Optimism..

All the GitHub repos seem to have been hit with DMCA takedowns, so here is a mirror: https://0xacab.org/sizeofcat/iBoot

In the docs directory there is a guide to fuzzing. On the plus side, from my initial read, it looks like most of the important stuff has fuzzing harnesses already which means the code should be free of most low hanging security bugs. It also means that with the harnesses already in place, it will be easy for outsiders to just throw a ton of compute at it and possibly find some of the deeper issues.

You mean, more tons of computing than Apple can afford?

You mean, more tons of computing than Apple has already thrown at the problem?

How does something like this get leaked? A rogue Apple developer?

Just totally speculating here, but there are some class action suites regarding the Apple battery debacle. Maybe they had to provide source code as part of pre-trial discovery, and it got leaked that way?

This was released on reddit[1] back in September of 2017 and is not related to any battery lawsuits.

[1] https://www.reddit.com/r/jailbreak/comments/71p5qs/newsiboot...

Bad permission management, untrustworthy third-party, USB drives, APT(?), human error, etc.

The newest copyright on any file is 2015. The source code might be quite old.

(Yes, I realize that a copyright header doesn't actually stay in sync with patches. It's just the only indicator of date there is)

It's just a bootloader. I don't think they changed much between iOS 9 and 11. The probably only added support for newer boards/devices.

The article states that the code is from iOS 9, which was first released in 2015.

There are a few references to 2016. There is also a target/iphone8 folder. Don't see any reference to iPhone X though.

"iphone8" might not be a reference to a product name but the internal model numbers "iPhone8,1"/"iPhone8,2" which are the 6s and 6s Plus (released in 2015). The iPhone 8 model number is "iPhone10,1"

edit: there appears to be a reference to "N66" in init.c, which is the codename for the 6s

The iPhone 6S, which was released 2015 with iOS9, had the hardware string 8,1, so nothing unexpected there.


Unless there are encryption keys hidden in source code that I can't find, I fail to see the implications of this leak.

It is much easier to find security vulnerabilities if you have the source code.

Better switch the Linux servers to Windows then

The source code for Windows is available if you meet certain requirements: https://www.microsoft.com/en-us/sharedsource/

Only applies if there are significant bugs. Presumably Linux has fewer of them than Windows, but it's hard to say as Windows gets a lot of attention.

Then maybe Apple leaked this code intentionally to harvest free security reviews?

Please, it doesn’t help anything to publish unfounded conspiracy theories. Apple already publishes open source projects and has a bug bounty in which they pay for security vulnerabilities in some areas of iOS. It’s ludicrous to advance the theory that they hatched a plan to leak this important project to Reddit instead of through one of their official channels.

Risky strategy, it depends on who does the review. (It should be a motivator for white-hats to dig into this - black-hats surely will).

How to confirm it's not a farce but the actual source code? I could post anything, whatever, and say "this is iBoot leaked".

I was involved with a case earlier this week with Apple making a false IP claim under penalty of perjury, they don't seem to care too much. Have heard from others who've been bullied by them as well.

Look up HARD2FIND ACCESSORIES INC v. AMAZON COM INC APPLE INC for another instance of them abusing IP claims.

I looked that case up...

Doesn't it show the opposite of what you claim?

Hard2find's suit against Apple and Amazon was dismissed with prejudice and that decision was confirmed on appeal.

They ruled that Apple had immunity, which is not the same as finding that Apple didn't lie.

Well, they ruled Apple had immunity because their petition could not be construed as a sham. Also, they ruled there were no facts to support the Apple/Amazon conspiracies the plaintiff suggested AND ruled there wasn't even any hope that such facts could be supplied where the suit to be amended.

Whatever lie you think Apple is guilty of, there doesn't appear to be any sign of it amongst the material of the suit. Going to court is expensive and time-consuming, so I presume that if such facts were available, the plaintiff would have used them.

You can believe whatever you want, but it seems like you'll have to do it despite the absence of supporting facts, at least in this case.

I didn't say anything about the anti-trust claims, it's typical for plaintiffs to pile on as many claims as they think are remotely plausible to stick.

The lie is the claim that Apple made that plaintiffs were selling fake goods, which you'll note Apple retracted later. Whether they have liability for their lie or have immunity under free speech doctrines doesn't change the fact that they abused IP claims.

This is not an isolated instance with Apple, I have seen many others. But, as this case demonstrates, it's very tough to hold large companies accountable without a very large legal budget.

I don't think the court ended up considering the main point, which is that Apple had no evidence that H2F's units specifically were fake.

Wait a sec... you cited this case. If it doesn't actually address your main point then why reference it?

You're making pretty strong claims but are providing links to back it up that don't actually back it up. I don't see why anyone would take what you're saying seriously.

It shows Apple making an IP claim containing false allegations.

Like I said, the fact that they weren’t found to be legally liable for that is not relevant to the point I’m making, which is that they lied in an IP claim. Apple retracted the claim, as mentioned in the original complaint. They may have immunity under free speech doctrines for lying, but that doesn’t change the fact that they lied.

To be clear, the court didn’t make a decision either way on whether Apple lied. I am saying that they lied, based on the fact that they filed a complaint without basis or with flimsy basis (reviews that were not tied to a seller), and that I know of several other instances of Apple doing the exact same thing, I know some people were considering a class action against Apple for this last year. It’s just really hard and expensive to go up against Apple or any large company in court, so they are getting away with it.

Given that immunity doctrine, there’s a really high bar to proving liability. There’s enough facts there to determine that Apple had no reasonable basis for the claim.

No evidence?

H2F's complaint included customer complaints regarding the authenticity of H2F's products, which could support Apple's trademark infringement and counterfeiting concerns, and therefore Apple's notice to Amazon was not baseless.

See paragraph 37 and the other ones around it in https://www.scribd.com/document/232206495/Hard-2-Find-compla...

The court appeared to ignore the point there.

Note that "customer complaints regarding the authenticity of H2F's products" do not appear in the complaint.

I believe the complaints were on the listing, which means Apple had no way to know which seller it was from

Apple could send out takedown/cease and desist to any and all sellers if they wanted, based on the reviews of counterfeit. They could also connect reviews of "cheap" "counterfeit" goods to the one seller massively undercutting the rest which was also not an authorized seller of Apple products and since Apple is the manufacturer and distributor, they may have been able to eliminate other sellers. Which appears to be what they did. Was this overzealous or a dumb mistake? Maybe, maybe not - it's not clear that H2F wasn't selling counterfeit cases (""H2F also cannot support its conclusory assertion that the iPad cases it sold were genuine because it cannot say how or from whom it acquired them"). But it certainly wasn't a sham and that's the only bar Apple needs to clear for immunity under Noer-Pennington.

>Apple could send out takedown/cease and desist to any and all sellers if they wanted, based on the reviews of counterfeit.

That's not the issue here, it's that they sent it to Amazon making false allegations about H2F.

Again, the fact that they don't have liability for their lie doesn't mean it wasn't a lie.

I'd note that the standard for a motion to dismiss is to accept the pleaded claims as fact, so they should accept H2F's claim that their products were geniune.

>one seller massively undercutting the rest

As the complaint says, several other sellers were pricing low.

Doesn't prove anything. Apple is huge, they can do with GitHub whatever they want.

So, Apple just lied and said it was theirs? That makes absolutely zero sense.


Apple submitted this DMCA to GitHub, and admitted, under penalty of perjury, that this source code is legitimate. Additionally, if it was fake, they wouldn't submit a DMCA.

Anyone have a clue what the 'thunderbolt'/'thunderboot' driver is? Almost seems like they have proprietary thunderbolt cables for developing this or something? Relevant files: https://github.com/h1x0rz3r0/iBoot/tree/master/drivers/thund...

Some macs have the ability to load OSX from network or from an external hard drive. It might be the same on the iPhone

Thunderbolt could allow direct memory access which would be really useful for low-level debugging early in the boot process before higher-level tools are available.

Does this have any real implication for iPhone hacking?

Yes, any leak does.

Does this mean Jailbreaking might be a thing again? I've been wanting to use some iOS devices (like 6 and newer) for some projects and now jailbreaking is super dead. I am not an embedded wizard, but I think it's pretty hard to get a new bootloader on an iOS device currently. Does anyone have better info on that?

Wasn't an iOS 11 jailbreak announced just the other day? I don't think the scene is dead at all, it's just that many of us who once used jailbreaks on every iOS version no longer do and don't follow those news anymore.

There's also the fact that if you have an exploit for a recent iPhone, that can sell for upwards of a million dollars (edit: $1.5 million for a remote jailbreak with persistence: https://www.zerodium.com/program.html).

If you have the capabilities to hack the iPhone you are then faced with a question - do you release it for free or do you sell it for a million dollars.

A million dollars is life changing enough that many hackers will take that option.

You presumably could do both, sell it for a million dollars, and then send an email to apple as well. I'm sure the terms of the sale stipulate you can't share it with anyone else, but if you can hack the iPhone but can't figure out how to send anonymous email to Apple, you are doing something wrong.

According to zerodium's faq, there are bonuses for exploits that meet specific lifespan requirements.

I haven't tried in a long time. I just remember this Motherboard [1] article from June.

I think I heard that Cydia was shutting down? I ran into the founder at Defcon last year, he didn't say much about it going the way of the dodo, but I don't know anyone who jailbreaks really anymore.

Recently I just had some projects come up that could greatly benefit from a jailbroken iphone for some AR installation stuff so I thought this was interesting. Maybe I should give it a go.

[1] https://motherboard.vice.com/en_us/article/8xa4ka/iphone-jai...

Looks like it just stands for "find boot images", given the name of the function...

Probably, still spooky to see that there!

Although there's FBI written, that def just invokes calls of profile() which is probably to profile the certain parts of the bootloader. I doubt that being a backdoor, only clue would be the name, and that would be rather easily hidable.

Could a potential jailbreak be used to unlock an iphone?

where's the mirror?

If true, this will be the catalyst to Apple stock tanking this morning... and possibly the entire US stock market.

IT Security is serious stuff.

Serious for us, maybe. I'm not sure if it's serious for people that actually move stock prices. Intel is actually up since Spectre/Meltdown...

Why? Don't overreact.

We're already on pretty shaky ground... biggest Net Change drop in DOW Jones history just happened 3 days ago.

…which was completely unrelated to this at all?

"This document may not be reproduced or transmitted in any form, in whole or in part, without the express written permission of Apple Inc."

I hope the poster is caught and thrown in jail.

Can we figure out where they are putting the 'code' to slow down the older phones? If we can figure it out it could be a big shame for Apple, if any..

Maybe the fact that nobody has found it yet means that it doesn't exist? The "code" behind battery throttling as already been found (as in, it's been disassembled).

How hard will it be for Apple to patch this?

To patch what? This isn't a vulnerability. This is leaked source code. Apple can file takedown notices to GitHub since they own the copyright but people can always post it somewhere else.

That is what I thought. I apologize for the stupid question.

No need to apologize. This source, which Apple intended to stay private, may (or may not) still reveal exploitable vulnerabilities, which would need to be patched, if they exist, but it's not immediately obvious either way.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact