操控更多,进入iPhone操作系统的Shell后台的方式已经被分析出来

寂夜清风

iPhone采用了专门的操作系统.然后用SHELL呈现给用户一个漂亮的界面.如果能够进入到这个SHELL后面的话.可以对系统进行更多了解..
5 X* M- f: x. @* K, a5 m( N" _. V# u
目前这种方法已经被人分析出来了:
由于iPhone采用了与iPod一样的底部数据线脚定义,所以可用串行控制的方式来进入SHELL的里面.
在线脚的第21脚和第11脚之间接上一只6.8K的电阻,然后在recovery模式下输入以下指令
setenv debug-uarts 1
+ g4 K9 y, i+ g5 R* [saveenv
reboot

4 i: R, v1 C, D& w机器会自动重启.然后就进入指令状态了.

                                iPhone SERIAL HACKED, FULL INTERACTIVE SHELL                                                           Your friends at #iPhone made a major breakthrough this morning.
we got a serial console working, here is how the serial has the same pinouts as iPod serial use a 6.8kish resistor from pin 21 to gnd tie pin 11-sergnd to the real ground use iphone interface to send the following commands in recovery mode:
setenv debug-uarts 1
) o8 r9 |& ^) u" P! o1 h: K) a2 ]8 @saveenv
7 i1 Y. w% v, X2 l% wreboot
+ ^9 Q# u' [2 p' K
# L  r8 g0 i9 ^& @+ t* P4 e- Gthat should work

IT GIVES YOU A FULL INTERACTIVE SHELL
. A) A, }6 e  `: I$ r( hI REPEAT, A FULL INTERACTIVE SHELL
, k6 N4 l7 G# G5 H: v  _" L2 [5 g/ z
; _" k- R. @8 A8 @4 @2 u2 OThe command list is: http://iphone.fiveforty.net/geohot/cmdlist.txt

You need a level convertor, like the max 232 to make this work

DIGG: http://digg.com/apple/iPhone_serial_...l_shell_access
& j$ ~0 Z) H0 i
& J1 u" N- K% ^7 o8 b# O  I~geohot
                                                                                                                                                                                                                                        Last edited by geohot : 07-06-2007 at 10:40 PM.                                                   

http://www.hackint0sh.org/forum/showthread.php?p=7989#post7989
/ }) q+ e1 C6 i. S: g

- [. c/ C  U$ z6 ^- f

寂夜清风

现在你可以用指令来控制很多东西罗..
1 ~9 r& F+ {9 v, `& p

command list:
3 G, [/ E! Q8 G' `        help           this list
" H) t) n" D5 ?, N        script         run script at specific address
        go             jump directly to address
6 I! [- }8 N- m, a8 c        bootx          boot a kernel cache at specified address
        diags          boot into diagnostics (if present)
( i* U# d# k  E2 }7 m+ a- i. E( C        tsys           boot into tsys (if present)
( Y2 A9 w3 `3 s- V5 p        bdev           block device commands
: ^. R0 \/ }5 m; v' N4 ^& H        image          flash image inspection
' s, U0 v" D) T8 G/ U- O        fs             file system commands
        fsboot         try to boot kernel at /kernelcache
        devicetree     create a device tree from the specified address
0 J% k! B+ @7 a9 y( _& r        ramdisk        create a ramdisk from the specified address
        tftp           tftp via ethernet to/from device
$ v+ e6 }0 P# P  z4 T4 V0 d# ^7 l        eload          tftp via ethernet from hardcoded install server
        halt           halt the system (good for JTAG)
        reboot         reboot the device
7 \! W3 ^7 ~) P9 w  I$ O        poweroff       power off the device
        md             memory display - 32bit
        mdh            memory display - 16bit
        mdb            memory display - 8bit
# v1 i5 L# |7 Z+ e% I" y! W! H        mw             memory write - 32bit
# \/ Z9 [& L- _& k- {: k- }4 e        mwh            memory write - 16bit
0 R6 ?. a/ Y0 j6 a4 Q. {        mwb            memory write - 8bit
        mws            memory write - string
4 Q+ H# h  s6 y( X3 l5 n        crc            POSIX 1003.2 checksum of memory
5 [5 W, @" d0 ]! t# O        task           examine system tasks
6 J+ n) ~* m# k7 d6 n5 o3 V& _        printenv       print one or all environment variables
. _* F5 w& l" @# m/ \! X        setenv         set an environment variable
        clearenv       clear all environment variables
        saveenv        save current environment to flash
        run            use contents of environment var as script
$ H8 a3 O! d: Z8 H1 B        bgcolor        set the display background color
        setpicture     set the image on the display
        iic            iic read/write
7 o$ l8 n+ W7 a" i        radio          Manipulate the radio board.
        setbusclock    Set bus clock to the given frequency in Hz.
8 G2 I, f. Y  X# u6 B3 d3 U3 c        setcorevoltage Set core voltage to the given voltage in mV.
        syscfg         flash SysCfg inspection
, `- G3 j( x: X  ^" ^9 f! B7 }        charge         Manage the charger chip.
        powernvram     Access Power NVRAM.
* ?3 D! I) I$ ?) a4 A5 G! h        usb            run a USB command
( ~- n2 P2 L- r4 V" {% O        nand           nand flash routines
        chunk          chunk a file

: V$ J; {" W) Y0 N! T% J  T: A7/6/2007

http://iphone.fiveforty.net/geohot/cmdlist.txt

寂夜清风

收藏一下..这个肯定会有需要的时候罗
* u2 F0 o; _" o6 k8 ?2 z

Apple iPod dock interface pinout

connector wiring scheme

used in 3rd and later generation iPods for charging,connecting to a PC via USB or Firewire, to a stereo via line-out, to aserial device (controlled via the Apple Accessory Protocol). Thisconnector exists in all Apple iPod MP3 player (iPod 1G, 2G, 3G, 4G, 5G,Nano)

- s* A9 [+ l6 |4 W

4 _$ h) C2 x- \& J7 x; c30pin线脚图  at the player ( white side up) ' L  r7 Z" r- X+ P) }* D Pin Signal Description 1 GND Ground (-), internaly connected with Pin 2 on iPod motherboard 2 GND Audio & Video ground (-), internaly connected with Pin 2 on iPod motherboard 3 Right Line Out - R (+) (Audio output, right channel) 4 Left Line Out - L(+) (Audio output, left channel) 5 Right In Line In - R (+) 6 Left In Line In - L (+) 8 Video Out Composite video output (only when slideshow active on iPod Photo) 9 S-Video Chrominance output for iPod Color, Photo  only 10 S-Video Luminance output for iPod Color, Photo only 11 GND Serial GND 12 Tx ipod sending line, Serial TxD 13 Rx ipod receiving line, Serial RxD 15 GND Ground (-), internaly connected with pin 16 on iPod motherboard 16 GND USB GND (-), internaly connected with pin 15 on iPod motherboard 18 3.3V 3.3V Power (+) 7 t" C; \3 `: \8 i0 d9 L/ O6 u* AStepped up to provide +5 VDC to USB on iPod Camera Connector.   If iPod is put to sleep while Camera Connector is present, +5 VDC at this pin slowly drains back to 0 VDC. 19,20 +12V Firewire Power 12 VDC (+) 21 Accessory Indicator/Serial enable Different resistances indicate accessory type: ! e; s  ?; s/ J/ b$ Z! ?         1kOhm - iPod docking station, beeps when connected ; |) j3 J" y3 w4 B! V, G8 A         10kOhm - Takes some iPods into photo import mode          500kOhm - related to serial communication / used to enable serial communications                Used in Dension Ice Link Plus car interface 1MOhm - Belkin auto adaptor, iPod shuts down automatically when powerdisconnected Connecting pin 21 to ground with a 1MOhm resistor doesstop the ipod when power (i.e. Firewire-12V) is cut. Looks to be thatwhen this pin is grounded it closes a switch so that on loss of powerthe Ipod shuts off. Dock has the same Resister. 22 TPA (-) FireWire Data TPA (-) 23 5 VDC (+) USB Power 5 VDC (+) 24 TPA (+) FireWire Data TPA (+) 25 Data (-) USB Data (-) 26 TPB (-) FireWire Data TPB (-) 27 Data (+) USB Data (+) ! R% P4 |) J9 Q% A+ mPins 25 and 27 may be used in different manner.  To force       the iPod 5G to charge in any case, when 'USB Power 5 VDC' (pin 23)       is fed, 25 must be connected to 5V through a 10kOhm resistor, and 27 must be connected to        the Ground (for example: pin 1) with a 10kOhm resistor. 28 TPB (+) FireWire Data TPB (+) 29,30 GND FireWire Ground (-) Back side of dock connector; 8 }: k) E8 ~* E2 M 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 5 n& N2 G5 J6 l7 F, J 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29Pins 1,2 connected on motherboard. 0 `8 n+ G# w! Y1 @$ IPins 15,16 connected on motherboard. & k! h. Q9 A+ ~* ^) U: sPins 19,20 connected on motherboard. . E0 o+ M; r# J) TPins 29,30 connected on motherboard.   I: u9 Q! [3 D9 q" kIf you disassemble the original apple-ipod-dock-connector-cable andlook at the connector itself, on the back side, where it is soldered,you can see the number 1 and 30 (e.g. pin 1 and 30). In thisdescription NUMBERING is INVERSED: pin 1 is pin 30 and pin 30 is pin 2,so, don't look at numbers on connector. $ _( q: \; a9 a6 t2 F+ SThe remote control, iTalk and other serial devices use AppleAccessory Protocol for communication with iPOD. This protocol wasintroduced with the 3rd generation iPods, and is also compatible withthe 4th generation iPods and mini iPods. The connections uses astandard 8N1 (one startbit 8 data bits 1 Stopbit) serial protocol,19200 baud (higher rates up to 57600 also possible, but speed fasterthan 38400 may cause problems with large amounts of data), delay of 12microseconds inserted between end of the stopbit and the beginning ofthe next startbit (also working without this delay). Electrical: high +3,3V low 0V & X$ g- [; N8 n- rdefault line state: high. Codes used for communication with peripherals are here 8 i1 d7 R# \2 l& D  x9 n This device may be connected to the firewire computer port by straight cable (TPB+/-, TPA +/- shoulde be twisted pairs in cable)

http://pinouts.ru/Devices/ipod_pinout.shtml

wenwang

ni bi a