iPhoneOpener 0.2

Since iOpener was not the best name (it was already used), I have renamed the tool for jailbreaking and installing ssh as iPhoneOpener. The code remains basically the same as before, though I have added some new features to it:

  • iPhoneOpener now generates the keys (by invoking dropbearkey)
  • Automatic download and unpack for firmware image, if necessary (see README for how to avoid the download if you have the restore image already)
  • Installs scp, sftp-server, the necessary shells for this to work (bash and csh), and fixes the master.passwd file to use csh (since it is smaller than bash) so scp works.
  • Installs some more useful binaries: ls, cat, mkdir, rm, rmdir, curl, vim

I have also made up a PPC and Intel bundle for each one with the required dropbearkey and iPhoneOpener binaries in them too for those who don’t want to compile it all. [If somebody could fix the Makefile so that I can make a universal version of these, please do so and either paste the patch into a comment, or email me on john AT bluedonkey DOT org]

If you want to use iPHUC with your iPhone after this version of jailbreak, then you’ll need to patch that so that it knows to use the com.apple.afc2 service (otherwise you’ll be stuck in jail). You can download the patch from here.

Any problems, leave me a comment. As with all this stuff, if you’re not confident about your ability to recover the phone should something go wrong, don’t run it. It should work out fine, but I can accept no responsibility if it doesn’t.

30 thoughts on “iPhoneOpener 0.2

  1. Is this a GUI program, or a command line program?

    Do you think it will work if I try to compile it on a PC-Linux box?

  2. It is a command line program, but it links against the shared library that iTunes uses to communicate with the iPhone, so it will not work on Linux until somebody implements that library for Linux.

    It should be possible to compile it for Windows (the utilities that I based it on are both available for Windows I believe); I just don’t have a Windows box to try it with.

  3. Thanks.

    I did try running it on my GF’s macbook pro. It seems to be working, but does it loop by design?

    Once its done transferring files to the phone and reboots back to normal mode, it prompts me to reboot hlding down home to go into restore mode again.

    I may be silly, but I decided to do it again, assuming that the phone needed more files after the first try. After a few times I realized it seemed to be doing an operation each time, so I interrupted it between iterations.

    I can’t seem to connect to it using SSH right now. Is it set up on a non-standard port?


  4. some more info about my problem…

    It would seem as if instead of saying it is “out of jail” and copying new binaries, it restarts the jailbreak.

    Should be unlocked now and rebooting…
    AMDeviceConnect: 0
    AMDeviceStartService: com.apple.afc2 not started
    AMDeviceStartService: com.apple.afc started
    Copying jailbreak files to iPhone
    Reboot phone while holding down home key to enter restore mode

    Des this have to do with the fact that com.apple.afc2 is not started? In your example com.apple.afc doesnt exist, only com.apple.afc2.

    Is this related to the fact that I did jailbreak using iPHUC prior to running your script? I couldn’t get dropbear to work using iPHUC so I decided to try your script, but this was after I successfully completed jailbreak in iPHUC.

    Do you have any suggestions on how to proceed?

    I appreciate your help.


  5. Hello Matt,

    I’m guessing that it is confused about the location of the files that are uploaded before the switch to recovery mode. It assumes (perhaps incorrectly), that if there is no afc2 service then the phone is still jailed. iPHUC seems to have implemented the broken un-jailing that leaves iTunes confused.

    I would suggest that you try a restore, then run iPhoneOpener. If you don’t want to do that, you could manually re-jail the phone using iPHUC if you like, and then run it (both should work). I’ve run the tool on a phone that was un-jailed using jailbreak 1.1 and that worked fine, but that is where the afc2 service came from.


  6. Hey,

    Thank you for your help. Re-Jailing it and re-running iPhoneOpener worked like a charm.

    I didn’t realize I had to reboot it again after the program completed running in order for Dropbear to work. If you release another version maybe this could be included at the conclusion of the script?

    I think a big problem for me right now is that so many people have pages on unjailing the iPhone that it is difficult to determine which is the correct or best way to do it.

    At the onset of my iphone hacking I think I put a little too much faith in the iPhone dev wiki.

    Thanks again for your help,

  7. the latest iphuc revision can accept a script or be run directly from the commandline, eg.

    iphuc -qa com.apple.afc2 -o ls /

  8. Hey,
    Ran into a little more trouble.

    SSH works fine, but if I try to SFTP, I get the following message:

    $ sftp root@
    Connecting to…
    root@‘s password:
    /usr/libexec/sftp-server: Command not found.
    Connection closed

    Does this work for you? Do you know whaty could be wrong?


  9. Just verified via SSH that sftp-server is not in /usr/libexec, so its not a permission issue.

    Maybe the SSH daemon is looking in the wrong location for the SFTP server? I wish I had find or locate on there, but I am terrible with Iphoneinterface, and was hoping to transfer files (including master.password) to the phone using SFTP.

  10. I have it in /libexec, not under /usr/libexec which I think matches the original instructions for installing it. Do you have it under /libexec on your phone?

    If so, you could simply ditto it into /usr/libexec as well and see if that makes it happier.

  11. I just did some testing, and it works fine if it is installed under /usr/libexec too, so I made a new version of the tool that places it there. Only have Intel binaries for now (will make PPC tonight when I get home to my PPC machine).

    You can download the Intel binary (and sources if you want to build your own) from here.

  12. John,

    Thank you very much for your help!

    Just curious, What is Ditto, I am not familliar with it. Does it make a copy of the file, or is it like making a symlink with ln -s?

  13. Interesting.

    So if the file is not compressed using ditto is very similar to (if not identical to) just copying the file using cp? I might just remove sftp-server from /libexec and create a symlink from the one in /usr/libexec in order to save some space and make it more efficient. (I know its only a few k, but I can be anal about stuff like that)

    Regarding the reboot at the end of the script, I wasn’t actually suggesting that the script reboot the phone, merely that is have a text line telling people who run it that in order for SSH to work the phone has to be rebooted again. This ought to minimize confusion!

    Thank you again for all your help.


  14. I used this tool successfully (thank you!) and was able to log in using ssh. But when I got to the end of the README, it said to consult the wiki for instructions on how to change the password. So I found instructions (under Dropbear-ssh) that said to use perl -e ‘print crypt(“MYPASSWORD”, “XU”);’ and I changed both MYPASSWORD and XU to other values, generated a string, then scp’d /etc/master.passwd off of the phone’s filesystem to my machine, edited the file in BBEdit, then scp’d it back overwriting the old one. Tried logging in, it didn’t work. Then figured it needed a reboot so it would do a clean read of the master.passwd file and now cannot log in at all. So now I’m stuck with sshd running but unable to log in as root, and not sure of the best method to replace the master.passwd file with the original, to hopefully get back to a place where I can log in via ssh.

    Any more specific advice about how to set the password (in your original instructions) or helpful comments about how to get out of this situation would be greatly appreciated!

    PS: It would also appear that the patch for iPHUC doesn’t apply anymore, if you get the source from svn; is it correct to assume, however, that by using the ‘setafc com.apple.afc2’ command above, this can easily be worked around? Thanks.

  15. Oh, and another dumb question… since this process generates new rsa and dss keys, can those files be used with something like, ‘ssh -i dropbear_dss_host_key root@your.iphones.ip.address‘ to skip having to log in with a password somehow? I tried this but had no luck. Even if that’s not currently how it’s set up to work, could a future version of the script perhaps make sure that there was a public/private keypair generated to allow logins using this method, and make any changes necessary on the iPhone side to permit inbound authentication using that keypair? Thanks — T

  16. Okay, so I did a complete restore using iTunes, to ensure a fresh start. Then, I executed your program, a’la the Terminal and the ./iPhoneOpener command. No issues, installed without a hitch, you might say exactly as the README said it would/should. Except…

    ..except that when I try to connect, the connection just times out. I checked/doubled-checked the IP I am pulling on the iPhone, it’s as it should be. I also confirmed no firewall issues exist for port 22. Still, the connection times out. Here’s a debug’d output of the last attempt:

    MacBook:~ myUserName$ ssh -vv root@
    OpenSSH_4.5p1, OpenSSL 0.9.7l 28 Sep 2006
    debug1: Reading configuration data /etc/ssh_config
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to [] port 22.
    debug1: connect to address port 22: Operation timed out
    ssh: connect to host port 22: Operation timed out

    Any thoughts on what the “hang up” might be? At this point, I am running a completely stock iPhone with your program executed/installed against it. Any feedback will be more than welcome, so thanks in advance!

  17. Thom: you’ll probably need to restore the phone using iTunes and then repeat the process. Not sure why the password change didn’t work – did you make sure the only change was the password field?

    iPhoneWriter: Try rebooting (see comment above from Matt about having to reboot the phone at the end to start the ssh server running.

  18. Okay, so I finally figured out what was going on. To review, although I was able to do the SSH install without error, I couldn’t connect… the connection attempt would just time out. So, I re-read the WIKI’s, consulted the forums, did some Googling and tried again. Same result.

    So, not being one to give up and taking it somewhat personally at this point, I looked for (and tried) alternate method’s. Different combinations of Restoring my Apple iPhone, along with ./jailbreak vs. iFunastic vs. iActivator, and all variations of step-by-step and “easy” installs. Long story short, each method that worked without error (successfully) end with the same result of being unable to connect… the connection attempt would just time out.

    I pressed on, and I am glad I did. As luck would have it, on yet another iTunes->Restore for my Apple iPhone, I decided to try *not* synching the iPhone after the restoration, basically keeping it as close to the “out of the box” product as possible. The iPhone was activated, but I didn’t let it synch and that made all the difference. Something about eh synching of the data *before* installing SSH was the culprit behind being unable to connect.

    The end result? Well, after that last iTunes->Restore, the SSH installation process went without a hitch and I was able to successfully SSH into the iPhone. Given I was already able to ./jailbreak and iPHUC, being able to SSH opened up the flood gates and my Apple iPhone is now fully tweaked.

    Some notes I discovered along the way, in hopes that all of this information will help someone else.
    The ModMyiPhone iPhone Skinner rocks. Use the file it produces with (a .IPB file) along with Install IPB to easily and fully customize the look of the Apple iPhone.
    The Install IPB application works best with the iPhone *after* the iPhone has been “freed” using iFuntastic. It doesn’t seem to work right using ./jailbreak or iActivator.
    Whatever iPhone Skinner doesn’t change, iFuntastic can (like the mail alert sound or battery cons, etc.)
    iFuntastic cannot be used to install new applications.
    There are several “quick and easy” install programs for SSH. They all seem to work best with iActivator vs. iFuntastic. Ultimately, I prefer the package put together by BlueDonkey, which does not require using iActivator or iFuntastic or anything first. Using it *immediately* after the “clean’ iTunes-Restore was the ideal combination for me (iFuntastic, iActivator and iPHUC were all installed, I just didn’t use any of them. BlueDonkey’s package has it all covered.)
    The ModMyiPhone WIKI’s are awesome, but you have got to follow them precisely. Take your time and focus Danielson.
    Once SSH is installed and you are able to successfully SSH into your iPhone, everything else is a cakewalk.
    Installing new applications works best with iActivator, iPHUC and SSH *but* using SCP to copy the application to the iPhone instead of iPHUC (it takes fewer steps.)

    A huge thanks to everyone who offered assistance along the way. Every little bit helped and ultimately got me to the goodness I am enjoying now. I hope this collection of tidbits steers someone else in the right direction along the way. It feels good when the kid gloves come off!

  19. Hi John,
    First, thank you for your efforts in letting us PPC users enjoy some of the fun too! I have a question. The main.cpp file’s line 360 defines RESTORE_DMG as “694-5259-38.dmg” yet if I download the restore file from Apple outside of this app and open the zip, the filename I have is “694-5281-6.dmg”. Is it safe to simply rename the filename in main.cpp to this other filename? The attempts to download the files from Apple servers in the script fail, so I’m hoping to use the one I have on my desktop.

    Also, line 361 is looking for “kernelcache.restore.release.s5l8900xrb” but the file from Apple is “kernelcache.release.s5l8900xrb”. Again, is a simple renaming safe here?


  20. Hello Matt,

    Not sure – I haven’t upgraded my iPhone to the latest firmware as I didn’t want to risk the upgrade preventing me from working on the stuff I’m doing at the moment. If you already have the 1.0.1 firmware on the phone, go ahead and try the renaming and let me know if it is working OK. If so, I’ll update the script.

    By the way, if you’re on PPC, you might want to download the 0.3 Intel bundle too, and take the main.cpp from there – it has a bug fix in it that I haven’t had a chance to put into the PPC bundle yet.


  21. Hi John,
    I was able to run your script. Seems Little Snitch had a block on curl. So, after that was corrected, it all ran smoothly. I was able to download Installer.app and put Launcher, Terminal, and some other things like the BSD Subsystem, Mobile Terminal, OpenSSH, the Community Sources package, and Erica Utilities on without any problems. What I am now trying to do is to use Transmit or Fugu to get into the file system from my desktop. Do you have any advice? Does the iPhone have to be jailed again? Any help you can provide would be greatly appreciated.


  22. Hello Matt,

    No, shouldn’t ever need to be re-jailed as it is set up to run the jailed version of AFC for things that need it (iTunes) and the alternate version (com.apple.afc2) for unjailed access.

    That said, if you’re going via SFTP you don’t need it at all. Only thing to watch for is the bug I mentioned before in 0.2 that should be fixed in the source for 0.3 that affects getting the SFTP daemon installed.

    Since you’ve already run it, you might need to use iPHUC to copy the sftp-server binary to /usr/libexec and then ssh in and set execute permission on it. After that you should have SFTP/scp capability too.


  23. John, I hope you don’t mind having this conversation via the blog but perhaps people can learn from this. I was able to get iPHUC to copy the sftp-server binary from the 0.3 release into the /usr/libexec directory. I’m simply in Terminal on my desktop and using this command: ssh root@IPaddress and I assume the return will be a request for a password. unfortunately it times out and the password request doesn’t come. Any thoughts?

  24. Hello Matt,

    No problem using the comments for this. As for your problem with ssh, others have seen this as well (see the comments from iphonewriter above), but the only solution that has been found is to restore the phone and then do the installation before running any sync in iTunes. The odd thing is that I have always done this after sync’ing. I assume you’ve rebooted the phone… you need to do that to start ssh running.

    What I would suggest is that you check all the files that are installed for ssh support are really there. If you ran the 0.2 version of main.cpp it is possible that some of them were not made executable properly. That is difficult to fix without restoring and re-running with the 0.3 version.

    Also, try opening a page in the browser on the phone, and while that is loading attempt to make the ssh connection. Sometimes I’ve seen it not respond to incoming connections (I assume some kind of power save related feature).


  25. I restored and updated to the 1.0.2 since it just wasn’t going to work. The 0.3 release of your code is Intel only, right? I’m PPC.

  26. Hello Matt,

    The 0.3 bundle contains binaries for the Intel only, but if you have XCode installed on your PPC system, you can download the 0.2 PPC, and the 0.3 Intel, then just replace the main.cpp in the 0.2 bundle with the one from the 0.3 one – that was the only file that changed.

    I will try to get the PPC bundle updated tonight if I can. Been an issue of getting time on the machine to do it,


  27. HI, I’m trying to run iPhoneOpener 0.2 on my wife’s iPhone. It is running firmware version 1.02. When I start iPhoneOpener, it gets to the “Switching to restore mode” part. I put the iPhone in restore mode, and I get a line in the terminal window that says “Bus Error” and then I have to reset the phone.

    I have successfully run this on my phone. I have tried running it on her phone on her Macbook and my Macbook Pro. The same thing happens either way.

    Is this a problem with the phone or with the 1.02 firmware or what?

    Hope you can help.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.