Here an actual screenshot of the program...

You can download the jailbreak now on www.evasi0n.com !

>pod2g

The wait is over...

The wait is over...

www.evasi0n.com

We are ready!

@pod2g

2G Lab

Hi.

You reader certainly know that I have not been really present in the security field since a few months now.

The reason of this was the creation of my company, 2G Lab, focusing on 2 different areas : development and security research.

 Now that our first application, named podDJ is out to the AppStore, we will focus on both subjects.

If you have a project that you would like 2G Lab to work on, contact us: contact at 2g-lab dot com.

Best wishes to you all,

Cyril (@pod2g)

WWJC 2012 slides

I really enjoyed being in San Francisco the 29th of september 2012 for the WWJC conference.

I watched awesome presentations from the best iOS tweak developers out there :
- Aaron Ash
- Josh M. Tucker
- Carsten Heinelt
- @ih8sn0w
- @NitoTV
- Ryan Petrich
- Jay Freeman
- Dustin Howett
- @pimskeks

I met some of my fans also ;-) Thanks to them for their support !!!

I am looking forward for the next WWJC event that should happen next year in New York.

Here are the slides of my talk : Jailbreak Techniques, WWJC 2012

Next con on my agenda : HITB 2012 in Malaysia from the 10th to the 11th of october.

sendrawpdu: send raw SMS PDU data to the iPhone 4 baseband

The little tool sendrawpdu is now on github. It is based on iphone-elite's sendmodem. With an iPhone 4, and this sample code, you can verify my statements for free ;-) .

By the way, I read some comments around saying that SMS spoofing is not new, that one can modify the origin address of a SMS in the protocol and such.

Now tell me, how can you do this without paying a dedicated service which is in fact a gateway talking to the carrier at a lower layer than the PDU data ? In a SMS-SUBMIT message, you can't change the origin address.

Never trust SMS: iOS text spoofing

I mentioned it on twitter a few days ago, I found a flaw in iOS that I consider to be severe, while it does not involve code execution. I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well.

The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4. Apple: please fix before the final release.

A SMS text is basically a few bytes of data exchanged between two mobile phones, with the carrier transporting the information. When the user writes a message, it is converted to PDU (Protocol Description Unit)  by the mobile and passed to the baseband for delivery.

PDU is a protocol that is pretty dense, allowing different types of messages to be emitted. Some examples : SMS, Flash SMS, Voice mail alerts, EMS,  ...

The specification is large and pretty complex. As an example, just to code the data, there are multiple possible choices : 7bit, 8bit, UCS2 (16bit), compressed or not, ...

If you either own a smartphone, or a modem and an account in a SMS gateway, you can send texts in raw PDU format (some services also exist to send a text with an HTTP request in raw PDU format). For the easiest smartphone option, there are different tools available online. I made one for the iPhone 4 that I will publicize soon.

In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.

Why is it an issue ?

• pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website. [Phishing]
• one could send a spoofed message to your device and use it as a false evidence.
• anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization texted them.

 Now you are alerted. Never trust any SMS you received on your iPhone at first sight.

Pwnie Awards 2012

I am nominated for the Pwnie Awards 2012 with the kernel exploit used in Corona !
Thank you very much to the persons who have chosen me, I am really happy and proud of it.

Here is the quote :

iOS HFS Catalog File Integer Underflow (CVE-2012-0642)

Credit: pod2g

This exploit was used for the Absinthe iOS 5.0/5.0.1 untether. It massaged the kernel heap into submission, copying over the syscall table and giving pod2g (as well as jailbreak users everywhere) a happy ending. And who doesn't love happy endings?

I can't wait for the results! It will happen the 25th of july at the BlackHat USA conference.