Reverse Engineering iPhone 2G

Hello, dear readers, in this article I wanted to tell you about the modification of the system files of the IOS operating system. As an experimental we will have an iPhone of the first generation, which now belongs to rare books, but this information will also be relevant for other apple devices.

For those who do not know the first iPhone looks like this

For the experiments, we will need the phone itself, rejected by Jajebreak, the IFunBox program for viewing and modifying system files, the IDA disassembler, HEX editor.
IOS 3.1.3 is installed on my phone, but these modifications will work on other versions (maybe).

I think you can move from words to deeds.

We will modify the system application SpringBoard which is responsible for the interface, including unlocking, the desktop, and so on.

We connect the smartphone (I’m not afraid of this word) to the computer, open the IFunBox program and go to the System / Library / CoreServices / SpringBoard.app directory and copy the contents of the directory to the computer for further study and modification.

Here we can see a lot of .png files as well as folders with localization data, but this is not what interests us. We are interested in the application code itself and this code is in the SpringBoard file.

Run IDA and open the SpringBoard file in it, click OK in the window that appears and click OK in all the next windows.

After some time, the code analysis will be completed and we will open the disassembled listener.

As you can see, all functions have a “human” type name “class + method name”, which is very cool. Now you can proceed to the modding springboard.

Change the maximum number of icons on the desktop

As you can see on the desktop of icons, you can place a maximum of 4 pieces horizontally and as much vertically, but you can change this restriction and change it quite simply. The easiest option, of course, is to install the tweak from sidium, but this option is not for us, we will patch the executable file to achieve the goal.

Open the function “SBIconList maxIconRows”

The whole algorithm of this function is to return the number 4, this number is the maximum number of icons on the desktop vertically and I suggest trying to change it, say, the number 5.

In order to change this restriction, we need to find out the offset of the instruction “MOV R0 # 4” in the file and this is done very simply, for this we need the instruction address 0x4DE18 to subtract 0x1000 and we will get the offset of the instruction in the executable file equal to 4CE18.
Open the HEX editor and go to offset 4CE18

In the byte that I highlighted in the figure is the number of icons on the desktop vertically and we change its value to 5 and save.

After you save the file, go to IFunBox and replace the original SpringBoard file with the modified one, and then restart the phone and look at the result.

Before modification

After

Instead of the number 5, you can put any other number. Now we will change the number of icons vertically and for this we go to the neighboring function “ SBIconList maxIconColumns ” and do the exact same thing as last time.

Change the number of icons vertically by 6, for this we calculate the command offset, patch the file again and load it onto the device.

Now the desktop looks like this

Now we will try to make sure that icons are not displayed at all.

Useful, this modification will bring little, but for gaining experience and just for fun will come down.

Go to the function “SBIconModel isIconVisible”

This function decides whether to display the icon or not and returns the corresponding result. If the function has decided that the icon needs to be displayed, then it will return 1 if the solution is negative, then 0.

Our task is to correct the function so that it always returns 0.

Open the “Graph view” mode and look at the function diagram. Let's pay attention to the second block, or rather to the conditional transition after it and where it leads.

At the end of the function, we see that all the branchings can end in two possible places depending on the result.

The conditional transition about which I spoke above in the case of the condition is transferred to the block where the number 0 is assigned to the R3 register, and if the condition is not fulfilled, the transition is not performed and further calculations of the need to display the icon begin.

The simplest option is to make the transition always take place on the branch we need to change the CMP command, or rather its argument, for example, to 2.

But we will proceed in a somewhat more complicated way and replace the BNE command (transition if the condition is not fulfilled) with the BEQ command (transition if the condition is fulfilled). However, in this situation, we simply invert the condition, theoretically, the icons that should be displayed will stop doing this, and those that will not be displayed will be displayed.

Open the address of the BNE command (which is in the picture above after the CMP) in the HEX editor

This command takes 2 bytes. The first is the offset by which you need to “jump” and the second is the opcode of the command that we need to change.

We change the opcode of the BNE command which is 0XD1 to the opcode of the BEQ 0xD0 command, then save and load the modified file onto the device.

The screenshot below shows the result.

Why I decided to study the structure of the dinosaur

I dreamed about the iPhone of the very first model for a long time and only recently had the opportunity to purchase it, and in a very good condition. After a week of use, I had little use and I was eager to find out what was "under the hood". I already had knowledge of the assembler and experience in reverse engineering, but everything was greatly complicated by the almost complete lack of documentation (even foreign) on the internal structure of IOS, so I had to learn through trial and error.

If this article turns out to be interesting to you, then I will write the second part where I will tell you a lot more interesting information about the modification of the firmware of the first iPhone.