Friday, November 25, 2011

Using SAM to officially activate an iPhone and receive valid Push Certificates.

As mentioned in the last post, Push notifications (as used by the facebook app, or Find My iPhone) on the iPhone rely on valid and unique certificates on the iphone that are tied to that particular iPhones UUID number. These certificates are handed out by the apple servers when a phone is first activated through iTunes, and when an the first app that uses push notification is run. As such, a “hack-tivated” does not have valid certs, resulting in Push not working, the iPhone quickly draining its battery as it continuously contacts the apple servers with invalid certs, or both. To get valid certificates, you will need to do the following:
  1. Follow the guide available here:
  2. I got an “invalid sim” error in iTunes when I went to try and activate the iPhone. There is a way around this by specifying the original carrier that the phone is locked to in the Sam Prefs settings. However, if, like me, you dont know which carrier the iPhone is originally locked to, and you are unsuccessful in getting your phone activated in this way, you can do the following:
  3. Go to Settings->About->Model, and make a note of the model number.
  4. Go to and look up the model number to see which carrier the iPhone was originally on.
  5. Under Settings->SAM, click on “method”, and change to country and carrier. Then under “method” you should be enter in the original carrier and country details. If even that doesnt work, change back to “automatic” and it should work.
  6. Install an application that uses Push to finalise the process. You can download “iPusher” from the app store, or “Push Checker” from cydia (add the repo) from to test if your push notifications are working.
  7. If iPusher reports an error, make sure that the iphone is disconnected from the computer, go to Settings->SAM->Utilities and click on “Backup activation”. Then wait a minute, and click on Restore Activation. Restart the iPhone, and connect it up to iTunes again. Run iPusher or Push Checker again and you should have valid and unique certificates.
  8. To backup your certificates, you can use the guide here:

This will allow you to restore the official push certificates back onto the iphone again if you restore the iphone in future.

How to get Push notifications working properly on your iPhone.

Push notifications (as used by the facebook app, or Find My iPhone) on the iPhone rely on valid and unique certificates on the iphone that are tied to that particular iPhones UUID number. These certificates are handed out by the apple servers when a phone is first activated through iTunes, and when an the first app that uses push notification is run. As such, a “hack-tivated” does not have valid certs, resulting in Push not working, the iPhone quickly draining its battery as it continuously contacts the apple servers with invalid certs, or both.  To get valid certificates, you have three choices:
  1. Get valid certificates using ”Push Doctor” from cydia. A guide is available here: I have had great success with the method, and am very grateful for them for giving the valid certificates for free. Unfortunately it is becoming increasingly rare to find valid certificates on the server to grab. You will get an error during the installation if there // and checking the “remaining” counter on the left hand side.
  2. You can also pay for valid certificates using PushFix. First pay the $6 at the PushFix website here:, and then install PushFix from Cydia using the guide here: I have had mixed results with this method. Although I did get valid certificates on my iPhone and thus Push notification worked, the batter began to drain very quickly. I have my suspicions that the certificates handed out by PushFix are not unique, causing the iPhone to keep trying the Apple Push servers until it gets a response, which is especially shitty considering they are charging money for them.
  3. The other option is to return the iPhone to a pre-activated state, and get an official activation and thus Push certificates by using iTunes to activate it. In the next post, Il outline just how to do that.

How to restore an iPhone that is stuck in DFU/recovery mode

I was given an iPhone 3GS on IOS 4.3.3, baseband 6.15.00 that required a restore to delete all the users data before the resold it. Now, as many of you reading this know, you cant just click "restore" in iTunes on a jailbroken or unlocked iPhone as iTunes will restore the iPhone with the latest iPhone iOS software, removing the lock and the jailbreak from the device. So I put the device into DFU mode and attempted a manual restoration (ctrl-click or alt-click on restore in iTunes) of a 4.3.3 firmware to the device. I then went off for a cup of tea. Unfortunately, when I returned, the iPhones screen was black, and iTunes was reporting an error. It wouldnt even charge from a wall adapter. The phone was also unresponsive to a hard reset (hold down the home and on/off button for 15 seconds). The "exit recovery" button in the application Tinyumbrella wouldnt work, and I had no SHSH blobs for the iPhone saved locally. However, it would show up as a "iPhone in recovery mode" in iTunes. After a good bit of trial and error, I finally got it working again.
  1. First off, you will need to get the iphones ECID. On the mac, click on the little apple logo in the top left corner and then “About this mac”. Then click on “more info” and then “system report”. Click on “USB” in the top left and then on the iPhone. Look for “ECID”, and the number should be beside it. (you may need to have the iphone in DFU mode for this number to show up)
  2. Power up tinyumbrella. Click on Manual ECID, and enter in the one that you got from the previous step. Click on the newly added iphone on the left and then “Save ALL SHSHs”. If you click on the log, it should tell you if it finds any previously backed up SHSH blobs on the Cydia server. If it doesnt, you may be able to use “iFaith” to recover the curent SHSH blob on the iPhone.
  3. If tinyumbrella does find a SHSH blog on the server, it will save it to your local drive. If you click on the iPhone on the left, under the general tab, you should see a list of firmwares that the SHSH blog has been saved for. Make a note of one that you wish to restore your iPhone to.
  4. Download the the corresponding firmware for your iPhone off the internet (google is your friend). If you wish, use PwnageTool to customise the firmware to your liking (unlock your phone, etc)
  5.  Go back to tinyumberalla. Click on “Start TSS Server”. This will enable tinyumberella to serve the SHSH blob(s).
  6. Open iTunes. Under the iphone menu, alt-click (or ctrl-click) on “restore” and select your firmware. Follow the instructions. If you have Tinyumberella open in the background, click on “log”, and you should see iTunes requesting the SHSH blob and TinyUmberella returning the blob.
  7. If during the restore you get a “10**” error in iTunes, use Tinyumberella to exit the phone out of recovery mode.
  8. Congratulations, the phone should be working now. If the phone needs to be jailbroken activated or unlocked at this stage, you can use redSn0w along with the firmware file.

Saturday, April 30, 2011

Recovering an Xbox 360 from a bad NAND flash

Many moons ago, I bought an xbox 360 for cheap that I was hoping to hack to play homebrew games on. A hack was discovered for xbox 360's ("the jtag hack12625") that allowed them to run unsigned code on the consoles. However, microsoft released a software update that permanently stopped this hack, and stopped the consoles from being downgraded to an earlier, hack-friendly software version. They did this utilising "efuses", developed by IBM for the 360's Xenon CPU. IBM had originally developed efuses as a method to "reroute chip logic, much the way highway traffic patterns can be altered by opening and closing new lanes". The idea was that a chip could regulate speed or power consumption issues by simply tripping a fuse, or more impressively, "repair unexpected, potentially costly flaws". 

Microsoft, who had one of the first implementation of this technology, had a more sinister plan when it utilised this efuses. Microsoft were "blowing" efuses after a significant software/kernal update. This would prevent hackers from downgrading to a previous version of the Xbox OS and exploiting potential bugs. The console's security measures relied on the status of these eFuses; attempt to run an older software revision, and those checks would fail. Therefore only xbox 360's that had the kernel version of 2.0.7371.0 or below could be exploited with the jtag hack. 

So if I just dont update the software on my jtag hacked xbox 360, I will be fine, right?  -> No, unfortunately its not that simple. I wanted to play the new "Portal: 2" game on the xbox. When I went to try and play the game, I just got a blank screen. After reading up a bit, it turns out that the newer games require the newer software/kernel/dashboard on the xbox. The newest in this case was dashboard version 12625. Well I cant update the dashboard as this will blow the efuses thus breaking my jtag hack, so what to do? 
Well, as it turns out, another hack was discovered a while ago called a "re-booter". To put it simply, this allows you to upgrade your dashboard to the latest version while still keeping your jtag hack. The latest version is employed in a piece of software called "Easy Freeboot 5.10". So to get your jtag hacked xbox running the latest dashboard, you will need to do the following:

 First off, you will meed to disable the ability for microsoft to burn the efuses. This is done by removing a resistor labelled r6t3 on the motherboard that supplies the power to burn the efuses, or disabling it as shown in the image.
Then, upgrade the dash by following the same guide here:

..until you get to step 6. Instead of doing this step (where you put an older dashboard on the xbox), download a program called Easy Freeboot 5.10. This program will create a NAND image that has the newest dashboard on it (it will only run on windows vista/windows 7). You will need your CPU key and original NAND for this. Once you have created your newNAND image, just flash it onto the xbox using the command:

nandpro lpt: -w16 newNAND.bin

(taken from the instructables guide). Because of the speed of the parallel port, it usually takes anywhere between 30min to 90min to flash the xbox.

Overall, its not too difficult, just a bit of work. The only really important step is to make sure that you get a good NAND dump before you put the replacement on it. You should have a the latest dashboard on your xbox 360 then. 

Except, that first time around, it didnt work for me. Because of a bad flash (probably caused by a loose cable and moving the xbox while it was being flashed, the memory on the NAND was corrupted. When i tried to turn on the xbox, it wouldnt even turn on. I knew i needed to reflash the NAND chip, except that it wasnt being recognised by nandpro now. According to this guide, I needed to reset the NAND chip. Unfortunately, after numerous attempts, I could not get either method in the guide to work. In the end, I tried running the command to erase the NAND:

nandpro lpt: -e16 0 400 

over and over again while plugging in the xbox 360. I was hoping to catch the NAND chip just as it was powering up. After another couple attempts, it recognised the chip, and began to erase it. Then it was just a simple case of flashing the newNAND image to the xbox again with the command: 

nandpro lpt: -w16 newNAND.bin

When it was done, i unplugged the xbox for a minute, put it all back together, turned it back on, and was greeted to the new dashboard splash screen!. As well as that Portal 2 ran without any issues.