Apple credits iOS 7.1 security changes to evad3rs and other jailbreak community members

Following the release of the first major iOS 7.1 software update earlier today, Apple has now updated contents of the support document which outlines security updates for its products with a link to this newly created document describing iOS 7.1 security improvements.

In it, Apple credits prominent members of the jailbreak community such as evad3rs, the team behind the evasi0n jailbreak, as well as Google and others who reported issues and helped contribute toward the security changes within iOS 7.1…

Speaking of evad3rs, the team has been credited with contributing to four different changes in iOS 7.1.

One deals with a bug allowing a maliciously crafted backup to alter the iOS filesystem, the other details a crash reporting issue that could allow a local user to change permissions on arbitrary files and the remaining two concern a kernel issue that could allow arbitrary code execution in the kernel itself (the stuff of which jailbreaks are made) and a bug that could enable an attacker to bypass code signing requirements.

Apple also credits other members of the jailbreak community such as Springtomize 3 developer Filippo Bigarella and talented iOS hacker Stefan Esser.

Filippo was mentioned in regard to an exploit allowing a malicious app to cause an unexpected system termination and Stefan got thumbs up for turning Apple’s attention to a dangerous bug that enabled a man-in-the-middle attacker to entice a user into downloading a malicious app via Enterprise App Download.

This isn’t the first time Apple thanked prominent hackers for their discoveries. In 2012, for instance, the company credited the 2012 iOS Jailbreak Dream Team with finding a kernel exploit that got patched in iOS 5.1. Likewise, following the release of iOS 6.1.3 in March 2013, Apple in this security note credited the discovery of four of the six bugs fixed to evad3rs.

All in all, the document details two dozen security-related issues in iOS 7 and a total of 41 vulnerabilities that have been fixed or mitigated in iOS 7.1. In addition to prominent hackers, Google’s Chrome Security Team and ordinary users have contributed as well.

Of the whopping nineteen vulnerabilities discovered in Safari’s Webkit browser engine, nine were reported to Apple by Google’s Chrome Security Team. WebKit was previously used in Google’s Chrome web browser.

Signing off, have you ever wondered why Apple stubbornly refuses to publicly acknowledge dangerous security exploits in its software, over which it gets chastised a lot by less-informed media outlets?

“Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” states the document.

See, this is for your own protection.

As a friendly reminder, jailbreakers should absolutely stay away from iOS 7.1 unless they want to lose their jailbreak because once you upgrade to iOS 7.1, you won’t be able to downgrade again – even with SHSH blobs.

How to Flash From T-Mobile to Verizon Wireless

• Overview

  T-Mobile wireless devices come "locked," meaning they will only work with SIM cards from T-Mobile, and you will be unable to use a SIM card from a different provider, such as Verizon Wireless. Unlocking your T-Mobile device will allow you to use it on theVerizon Wireless network, using a Verizon service plan instead of a T-Mobile plan. Flashing from T-Mobile to Verizon Wireless may not sound like an easy task at first, but it is relatively simple. T-Mobile actually supports the unlocking of its phones for various reasons, and by using a simple unlock code, you can free your phone to work on not just the Verizon Wireless network, but any network out there.
  

• Step 1

  Call T-Mobile's customer service line at (800) T-MOBILE and explain your desire to use a different SIM card with your phone. Usually this must be submitted as a "request," but a representative contacts you back via phone or email with a unique unlock code. You can also purchase these unlock codes through online sites, such as eBay, where sellers auction off these codes for $10 to $20 each.

• Step 2

  Start by plugging your phone in to a wall outlet, or simply making sure it is fully charged. If the phone were to shutdown or try to restart during the unlocking process, it could cause damage to the phone. With the phone off, remove the existing SIM card (if applicable), and insert your Verizon Wireless SIM card. Now power the phone on, and you should be greeted with a different screen than usual, saying that the phone does not recognize the SIM card.
• Step 3
• Type in your unlock code once the screen says "Enter Special Code." If this screen does not appear automatically, you can make it show up manually. Hold the * key until an entry box appears. Type in *#32# and select "OK." You will now be able to enter your unlock code to unlock the phone. When completed, you should be shown a message that says either "Completed" or "Deleted." You can now use your T-Mobile phone on the Verizon Wireless network.

• Skill: Moderately Easy
• Ingredients:
• T-Mobile wireless device
• Verizon Wireless SIM card
• Phone

Apple's iCloud security feature in OSX is bypassed in just 70 lines of code

If there is anything the tech world has learned about security, its that four-digit PINs are fundamentally unsafe. Align that against a poorly managed security foundation, and what you have is an open invitation for brute-force attacks. Unfortunately, this is what Apple has done with their iCloud implementation. If an Apple computer is remotely locked by an iOS device, the user would need to enter a 4-digit PIN on the Find My Mac app in order to unlock the machine.

A Github user by the name of knoy has uploaded iCloudHacker: its only about 70 or so lines of Arduino code that doesn't just make it ridiculously straightforward to brute-force your way through the Find My Mac lockout, but it also dances around the surprisingly lackluster security controls that Apple had tried to implement. The coder reports that it has been successfully tried and tested on 2010 & 2012 13" MacBooks.

The code in this program isn't doing anything fancy or special, nor is it exploiting something behind the scenes. It merely simulates a mouse and keyboard via USB and proceeds to enter passwords similar to how any normal user would. Don't get comfortable however-- this is worse than if it was utilizing some obscure exploit. What this means is that the same method can be repeated with anyone just entering passwords over and over again, and more importantly, it means they're being allowed to do so without the OS preventing them.

Rather than waiting for the 5 minute lock-out to expire before having another attempt, its quicker to just reboot

The first thing the program does upon boot is wait 5 seconds for the WiFi pop-up, and it would then move the mouse cursor over to the pop-up and close it. It then starts looping through the possible PIN combinations until it eventually hits a one minute security lockout, which makes the user wait before being able to guess again. At this point the program would, just like a normal user, wait for one minute before continuing the process. Again, it eventually hits another security lockout-- this time for five minutes. Rather than wasting time and waiting, the program simply moves the mouse cursor over to the restart button, restarts thecomputer, and does everything all over again. Rebooting results in the computer starting from a completely clean state as if the brute-forcing just a moment ago had never taken place.

The coder suggests that the maximum time it would take to brute-force any machine would be 60 hours. When its finally done, it starts flashing the LED's to tell the user that it has successfully brute-forced its way in.

This implementation however is fairly simple and doesn't account for the many years of research put into combination theory and analysis. For example, if we look to the research undertaken by Datagenetics, we learn some very startling facts about 4-digit pins:

• 26.83% of all 4-digit PINs account for only 20 combinations. 
• The most popular PIN number is 1234 which accounts for 10% of all combinations, which means that 10% of all machines could be cracked in a single guess
• 20% of PINs are just 5 combinations, meaning that 20% of machines could be cracked in just 5 guesses. 
• 50% can be cracked in 426 guesses.
• Repeated-pair couplets of numbers in a format such as XYXY (ie 1212, 2323, 5454, 0808) account for 17.8% of all observed pin numbers.

The code can be easily modified to account for the above and more, and there are hundreds if not thousands of text files out in the wild which have already listed 4-digit PINs in order of likeliness.

When looking at this issue we have to keep in mind that what is happening here is in fact significant, no matter how insignificant or time consuming it might appear. The significance isn't in the type of attack itself, or what the attack does, but in that there is a false sense of security for users regarding their Apple MacBooks and desktop computers.

So how can this be fixed? Easy. Among others, the first improvements that come to mind are:

• Increase the minimum number of digits to six. An increase to just five digits increases the number of possible combinations ten times, and an increase to six digits increases the number of possible combinations by 100 times.
• Require the use of symbols and letters, with the ability for both lower and uppercase letters
• Introduce persistent records of previous unsuccessful attempts
• Require MacBook-initiated two factor validation

Although this method isn't new or revolutionary, it comes at a very bad time for Apple, as just over a week ago there was a disastrous vulnerability in iOS and OSX regarding SSL, which was followed with a discovery of an iOS vulnerability that allowed full background monitoring.

Apple Iphone 4 flashing to cricket tutorial ( talk, text, mms, data )

DFS - creators of CDMA Tools
Amoamare - repo location for the Comm center patch and Cricket bundle.
Rich Hathaway - also posted a repo locaton for a Comm center patch and misc postings on CDMA Gurus.
ljm715 - the original IPCC I used was from this poster (CDMA Gurus)

---

This is a work in progress. I have learned so much about this in the past few days that it is hard to weed out what didn't work from what did.

I will try to make this process painless for those who decide to go down this path in the future. The results are a beautiful, fully flashed iPhone 4.


NOTE: The instructions will cover the Verizon iPhone first because that is what I used. Sprint involves obtaining the SPC and probably saving the files in a different location (probably the Sprint folder).

Read more: http://www.cricketusers.com/apple-iphone-4-4s-cdma/30852-%5Btutorial%5D-apple-iphone-4-full-flash-cricket-wireless-talk-text-internet-mms.html#ixzz2vFKIjqKX

In order to program the phone you will have to Jailbreak it. You need to be able to access system files and install other items to make a connection to DFS and load a PRL.

We've had success with untethered Jailbreak on 5.0.1 and tethered on 5.1.

---

Software Requirements:


CDMA Tool (by DFS)
- Download the demo. When you purchase the OTA flashing for the iPhone, it will upgrade you to the "Light" version.


iTunes
- Contains drivers that are required. You also need iTunes in general.


DiskAid
- Browsing iPhone Apps contents and transferring files to or from an iOS device has never been easier with DiskAid. It automatically discovers all Apps and allows to copy files, folders or even complete file trees!

File Requirements:

Custom IPCC for Cricket - This will be required for MMS. It should also contain a Cricket PRL which can be replaced. Becomes OPTIONAL if amoamare's Cricket Bundle is used (read in AMO section).

Recommended Downloads:


plist Editor
- In the Mac OS X and iPhone OS, property list files are files that store serialized objects. Property list files use the filename extension .plist. Mac OS X 10.2 introduced a new format where property list files are stored as binary files. Starting with Mac OS X 10.4, this is the default format for preference files.

These plist files are in the IPCC (Carrier Bundle) file. You might want to be able to peek inside those. To open an IPCC file, I changed the file extension to .zip and opened them up in Winrar. In Winrar you can edit the files inside the zip and save them back to the zip immediately. I feel like this causes the least modifications to the file structure of the IPCC or Carrier Bundle.

PRL - This is in the recommended downloads because the IPCC file will contain or should contain a valid PRL. You might want to choose your own though. Please visit the PRL thread: http://www.cricketusers.com/flashing...rl-thread.html



Read more: http://www.cricketusers.com/apple-iphone-4-4s-cdma/30852-%5Btutorial%5D-apple-iphone-4-full-flash-cricket-wireless-talk-text-internet-mms.html#ixzz2vFK5wMDt

Guide on flashing your iPhone 4 (CDMA) to metroPCS

Hi,

I'm starting a thread on how to flash the iPhone 4 (CDMA) to metroPCS because when I was looking for it on Google it took me so long.

This is only for the Verizon iPhone 4 (CDMA).


First off it doesn't matter whether or not the iPhone 4 (CDMA) you have has a good or bad ESN. metro doesn't care.

Keep in mind only talk and text works. All data will require WiFi but you can't beat unlimited talk and text for $40 (plus $5 unlimited international texting).

Now. You will need to download

iPhoneBrowser 
http://code.google.com/p/iphonebrows...3.exe&can=2&q=

metroPCS 1038 PRL (renamed to 130VZW.prl) 

http://dl.dropbox.com/u/35084515/310VZW.prl 
Configuring the phone for use on metroPCS

the metroPCS PRL
1. Jailbreak using either redsn0w (4.2.9) or JailbreakMe (4.2.8 and lower)
2. Download afc2add on Cydia
3. Open iPhoneBrowser
4. Go to /System/Library/Carrier Bundles
5. Scroll all the way down to Zeppelin_US.bundle
6. Delete the 310VZW.prl file first then drag the metroPCS 1038 PRL file there

metroPCS Roaming Lists
1. Dial *22801 on your iPhone (on the top left it should say Roaming)
2. Follow voice directions to get the latest Roaming Lists
3. When it's Done it should say Service Update Complete

Your phone is now fully configured for use on metroPCS. Easy right?

To get your ESN you need to convert it from the MEID number the iPhone gives you.
The ESN should be an 18 digit number (there should be no letters). Google for a MEID to ESN converter.

Now the hard part.

Getting your iPhone's ESN added into the metroPCS inventory
I learned this the hard way but you can't just go to a metroPCS store and have them add it for you. This is applicable not only for iPhones but for all flashed phones. The only way they can add it is if you're phone is officially flashable with metroflash. Why? Because there software adds the ESN automatically when the phone is flashed. 

To have it added manually you have to find someone who is willing to do it. Most corporate stores will do it but they will charge you for it. 



To verify your ESN has been added
(link) and check if your ESN is verified as a metroPCS ESN.

Anyways after your ESN is added all you have to do is either
Dial *228 on your phone and talk to customer service (important!) and have them add them switch the phones for you, it should be done automatically.

or

Go to a metroPCS store and have them add it for you. 

After that, talk and text should be working on metroPCS.

Some things to note:
There won't be a carrier name showing on the top but you can just use FakeCarrier or something to do it. Honestly though, I prefer the clean look of having no carrier name though.

If you want to get rid of the O next to the carrier name or signal bars. Just disable Cellular Data. It's an indication saying it couldn't connect

(GUIDE) iPhone 4 and 4S flashed to Page Plus

Upon my research of trying to make a jump to prepaid on my iPhone, I was really left between a rock and a hard place. I had a Verizon CDMA iPhone 4 32GB. Now as many of you know, the CDMA iPhone 4 does not have a SIM card slot. So all GSM carriers were out of the question. The phone was given to me by a friend who had upgraded to the iPhone 4S and then the 5. It really was something I was thankful to have and now I needed to find a use for it.


The Verizon family plan would not allow a smartphone (purchased either outright or at subsidized) to be put on it at the price it was currently. We would need to switch to the new Share Everything. Not really an option as it would cost more for less literally even if we all stayed with basic phones.

Upon researching the CDMA prepaid carriers I came across Virgin (Sprint network), Boost (Sprint network), TalkForGood (Verizon network), and Page Plus (Verizon Network). Both Virgin and Boost would not work where I live even if I flashed it to the Sprint baseband due to coverage issues. So it was a choice of TalkForGood or PagePlus. 

(TalkForGood is a great option for those who use little to no data on their phones or use do alot of either calling OR texting. If that meets your needs check them out as they are a fantastic option and are pretty new.)

PagePlus, unlike TalkForGood, does not openly support iPhone activation. So we need to use some unofficial ways to get it activated.

Step 1: Create a Page Plus account at https://www.pagepluscellular.com/login/register/

This will give you access to the customer service online chat feature. This is necessary to get it going. Don't worry, you do not need a phone active in order to create an account.

Step 2: Submit a request to get a new number using the standard activation page with the iPhone's MEID where it asks for the ESN. (YOU MUST HAVE A CLEAN ESN FOR THIS TO WORK). It will of course fail and give a "DEVICE REJECTED" error code. Don't worry this is all normal. We just want to submit the request to get our foot in the door.

Step 3: Log into your account and fire up chat. Tell them you do not know why activation failed and would like to activate your phone. Do not say it is an iPhone unless they explicitly ask. Most of the time they will have no issue getting it going.

Step 4: Provide the appropriate MEID for the ESN number, and make sure you state your zip code you want your number to be in. If you are porting a number we will get there.

Step 5: After the representative gives the A-OK to begin activation, wait roughly 15 minutes for the system to update. Then dial *22890. Make SURE voice roaming is turned on for this step. Otherwise activation may fail and you will be left with a "No Service" indicator.

Step 6: Congratulations you are now activated. If you plan on keeping the new number, go ahead and make some test calls with the $2.00 credit that is on the house. If you are porting in continue on.

Step 7: Either call Page Plus or chat them and fill out the appropriate questions for porting in a number. Most numbers take as little as three hours. 

Step 8: Wait three hours after finishing the call and dial *22890 again and the "My Number" info should update to reflect your newly ported number. 

Step 9: You can now either add money or switch to a No-Contract plan.

Step 10: Enjoy your iPhone bill now cheaper.

NOTES: 
Before beginning make sure Voice Roaming is on.

Do not add a plan until after the number has ported if applicable.

Once the phone is in the system it should never be removed, so you do not run the risk of deactivation.

If your phone is currently active on VZW. Switch the VZW line to another phone to get the iPhone freed up

I wrote this guide as a means to help those who are looking to switch with an iPhone as I had to kind of go in the dark when it came to moving over. I hope this helps anyone interested and do not be afraid to ask any questions.