Hacking the iPhone on an Intel Mac

Update: Check out An Easy SSH/SFTP iPhone Installer for a script that automates the entire process documented below and should work on Intel and PowerPC Macs alike.

Let’s start with a disclaimer. These instructions are cobbled together from various sources. They are offered as is. When possible GUI applications are used to minimize the amount of time spent on the command line. The entire process should take roughly half an hour (including activation). You take complete responsibility for your actions and any irreparable harm they might do to your iPhone, its warranty or AT&T contract. Now that that’s out of the way…

Before performing any iPhone hacking its a good idea to first sync your iPhone with iTunes (so your settings are backed up should things get ugly) and then quit iTunes and more importantly iTunesHelper (which is responsible for launching iTunes when the iPhone is connected or restarted while connected). Launch /Applications/Utilities/Activity Monitor and type “itunes” in the search box. Select iTunes and then click the red, stop-sign “Quit Process” button in the top left. Do the same for iTunesHelper (and iPhoto if open) and quit Activity Monitor.

Activating an iPhone without an AT&T contract

Skip this step if you’re working with an activated iPhone.

Download the latest version of iActivator from the iPhone Dev Wiki (you’ll have to google the wiki and then search for “iactivator”—they have a no linking policy). Follow the included readme.txt. Easy-peasy—when it works. For me, Jailbreak failed the first couple of tries despite the application claiming success. You can tell it failed if the “Put PEM file” button remains grayed out after clicking OK. Activation failed a couple times for me too. Just quit iActivator and try again fresh. Quit iActivator when you’re done.

Setting up SFTP on the iPhone

Download and install the latest version of iFuntastic. Launch and click the “Prepare” button. Follow the onscreen instructions to Jailbreak your phone. Jailbreaking is a finicky process. Multiple tries might be required so don’t get too discouraged if things don’t go smoothly on the first attempt. Next download the ssh installer from this article and unzip it.

Open /Applications/Utilities/Terminal, type cd (followed by a space), then drag the unzipped ssh folder onto your Terminal window and hit enter. Next type ./iPhoneMacSSHInstall.sh and hit enter. Again, follow the onscreen instructions.

Once the ssh installation is complete (press Control+C to proceed without Jailing) and your iPhone has restarted for the eleventy billionth time you can find your iPhone’s IP address in Settings > Wi-Fi by clicking the blue arrow next to your active Network.

Test your ssh connection by typing the following into your Terminal window:

ssh -l root 192.168.1.*

Replacing 192.168.1.* with your iPhone’s IP address and hit enter. You’re waiting for a password challenge for [email protected]*. The default password is dottie (any Pee-wee’s Big Adventure fans in the audience?). Once successfully logged in your command line prompt should read -sh-3.2#. Type exit and hit enter.

Next we need to secure ssh. In the same Terminal window type cd ~ and hit enter. Then type:


And hit enter. Now type:

getfile /etc/master.passwd master.passwd.original

And hit enter. This will download a file named master.passwd.original to your User directory. Open that file in a plain text editor. In a new Terminal window type:

 perl -e 'print "\\n".crypt("NEWPASSWORD", "XX")."\\n\\n"'

Replacing NEWPASSWORD with a new password and XX with two random characters, then hit enter. Copy the 13 character output and close the Terminal window. Replace the 13 characters between the first two colons on lines 10 and 11 in master.passwd.original (after root and mobile) by pasting over them and save. In your original Terminal window type:

putfile /Users/USERNAME/master.passwd.original /etc/master.passwd

Replacing USERNAME with your OS X short username and hit enter. Then type exit and hit enter.

Now we need to add an sftp-server so we can wash our hands of all this criminal command line activity. Download the latest iphone-binkit courtesy of NerveGas and unzip.

In your Terminal window type scp -rp (followed by a space) then drag sftp-server (which is located in the /libexec/ directory of the iphone-binkit you just unzipped) onto your Terminal window. Continue typing [email protected]*:/usr/libexec, replacing 192.168.1.* with your iPhone’s IP address and hit enter. After providing your new ssh password and the upload completes you need to ssh into your iPhone (by typing ssh -l root 192.168.1.*) to set the necessary permissions. Once logged on type:

chmod +x /usr/libexec/sftp-server

And hit enter. Type exit and hit enter to log off. You can now quit Terminal. Huzzah!

Switch back to iFuntastic, click the “Finish” button in the bottom left. If the “Jail” button on that screen is grayed out, click the “Prepare” button in the top left and then click the “Continue” button. Return to the “Finish” screen and click “Jail” then restart your iPhone (which should be second nature at this point). Quit iFuntastic.

Adding third-party native apps to the iPhone

Finally let’s upload some apps, an NES emulator and a command line screen capture utility. Open up Transmit and click on the Connect tab. Enter your iPhone’s IP address in the Server field. Your User Name is root, your Password is the same as your new ssh password, Initial Path should be / and don’t forget to change the Protocol to “SFTP.” Login may take a few moments. Download the latest version of NerveGas’ NES and unzip. Upload NES.app into the /Applications/ directory on your iPhone. Then navigate to /var/root/Media/ and create a new folder named ROMs. Inside that folder create a new folder named NES. Upload your ROMs into the freshly created NES folder. Do not email me asking for ROMs. This is the internets. Use it.

Now download screenshot and unzip. Go back up to the root of your iPhone and navigate to /usr/bin/. Upload screenshot. Once uploaded get info on it and make sure that its permissions are set to 755.

Time to restart the iPhone again. NES should now be on the home screen! Click the icon, select a ROM and groan about the lack of tactile feedback—as if Ninja Gaiden could get any more frustrating.

Now to take a screenshot. ssh into your iPhone as explained previously. Once in, type screenshot and hit enter. The capture is saved in /tmp/ as foo_0.png which you can then download with Transmit and Flickr or blog as evidence of how you completely pwn3d the iPhone.

With SFTP installed on your iPhone adding additional applications in the future will be a breeze. Upload GUI apps to /Applications/, command line utilities to /usr/bin/, double-check your permissions and then restart the iPhone.

One more thing…Exorcising Marker Felt

This one’s for John. Two copies of the two weights of Marker Felt can be found in /System/Library/Fonts/ and /System/Library/Fonts/Cache/. Navigate to those directories with Transmit and delete both sets with extreme prejudice, restart your iPhone and enjoy what limited functionality Notes has to offer.

Duck Hunt on the iPhone
Shaun Inman
August 9th, 2007 at 12:23 pm