Apple's top-secret iBoot firmware source code spills onto GitHub for some insane reason

Who knew the actual code for iBoot were song lyrics?

"It's not that hard to find."

I'm not sure whats more startling - that this source code escaped from cupertino or that some people still think rick rolling is still amusing in 2018.

Google "github iboot" for a proper link.

@AC

git.

I din't click on the Link but it's good to see Rick Rolling is still a thing

That was really annoying, it interrupted me listening to Rick Astley

RE: It's not that hard to find

"Anonymous Coward

It's not that hard to find.

Link"

Damn you sir. Damn you to Hell.

just waiting to be rickrolled...

(and I hadn't read the rest of the comments...)

Re: My device - I'll jail break it if I want to ...

Yes, if you break it, you get to keep the pieces. Or something along these lines.

Re: My device - I'll jail break it if I want to ...

And Apple have the right to prevent your access to the store.

Re: Is it Legit?

Yeah, I wouldn't consider it a global IT security issue. But it may be indicative of some insiders at Apple resisting the fruity firm's notorious internal police-state-style setup. Apple's team structure and corporate culture is more secretive, compartmentalized and restrictive than most intelligence agencies, and many of the engineers have only really put up with it as long as the tech remained exciting to work with.

Endlessly iterating the same 4-5 basic product lines gets dull quickly, and I wouldn't be surprised if some of the rank-and-file techies are getting fed up with the relatively poor pay and relatively bad working conditions compared to the other tech giants (while still being markedly better than 99% of the world's population have to put up with). And Tim Cook ain't Steve Jobs; people will put up with more shit to work with one of the really big names in technology from the late 20th century (even if he was an asshole) than they will working for an identikit corporate type.

Re: Is it Legit?

Having now glanced at the code, it does appear to be legit and intact. Includes pretty much everything you need to make a working build.

Heck, even has documentation for fuzzing!

I'd say with almost complete certainty that this is a real leak, and is complete without missing anything.

Anon because, well yeah can't let Apple know I have it!

Re: Is it Legit?

All it needs is for the code to have been written by Apple. The Copyright statements are enough to get it taken down. It does not have to be the real boot code... but probably is.

I agree. This was my first thought when I read the statement by "Karl". But as you say, it probably is.

I'd also be willing to suspect that most of it(1) is still in any new iPhone/iPad you could buy today - bootloader code tends, in my experience, to be much more stable (in the sense of frequency of changes) than OS core and especially application code.

(1) Except the 32-bit assembler parts on an iPhone X - its processor can't run 32-bit code, they say.

Re: Is it Legit?

Apple is probably changing the boot code as we comment (or may have done already)

Why would they introduce new bugs? Far better to keep it as it is and let a whitehat report something or watch the blackhat marketplaces.

Re: Got my copy!

Way to go, Jake. Oops - I mean Anon.

P.S. You may want to consider deleting your post.

Re: Got my copy!

"Anon because of admitting that."

Bloody browsers and their convenient auto login features or is the post anon tick box broken?

Re: Got my copy!

I just did that too, thanks for the savvy advice Jake. It is always clever to do these things anonymously as you very opportunely mentioned. God knows what could happen if those bastards found out our real identities.

Re: Got my copy!

"If you want it, go get it while you can!"

There's no rush. Once it's out, it can't really be taken back.

Re: why

Because having tried 3 generations of android phone and been sick of the lack of updates I tried to avoid Apple. I then bough a windows 10 phone, great device at first but ended up with less and less apps I wanted and did become less reliable over time. I've finally joined the rest of the family with an iphone and guess what - it just works.

Don't even talk to me about using developer builds, several of the apps I want to use will detect that a droid has been rooted and will then refuse to execute.

Mi wife was happily using her IPhone 3GS until last year, during the time she owned it I've changed phones 4 times, It looks like her iPhone 6 will last at least another 2-3 years and I'll use the iPhone 7 I bought until it stops receiving IO|S updates. All this and it actually works well with the google play apps and devices, something which was never available on the windows phone.

Re: why

"Seriously, why do people pay (what I consider to be) a ridiculous amount of money for a computing device when the manufacturer openly admits how hard they work to lock you out of it."

This is the primary reason why an iPhone is a nonstarter for me.

Yeah

Why buy a Mercedes if a FIAT drives, too ?

@Hans 1

Obligatory "you must be new here" comment

I don't know.

It seems rather secret to me. I mean, how many people could possibly know it is there, read it, and be reverse engineering it right now?

I tell you! Certainly less than 50% of the population. So IMO that's a massive success and is still a secret!

"What really happened to those people who peddled WindowsNT and Win2k source code back in the day?"

Bugger-all.

I got a toothless nastygram via my ISP for the crime of just being in the torrent, signed by Microsoft General Counsel Brad Smith under penalty of perjury.

Which was rather odd, because when the torrent finished downloading, it turned out to be a gay porn film featuring hunky German bikers, and not a zip of the Win2k source after all.

Spelunking the Win2K/NT codebases

Well the whole code base ( minus network stack - basically BSD) and build scripts where there but unless you were a very experienced Win16/32 and os systems programmer it was not going to make much sense. But the people like me who were both were unlikely to do much with it apart from use it for reference. Which we did.

Did learn some interesting things from the code base. Such as not only does MS lie to outsiders but there is a chain of lying inside MS management too. I remember some very specific technical statements made by various top people at MS over the years which were proved false by the source code and the call chain. And knowing how MS internal politics works the people at the top must have been lied to by those below. In MS bullshit not only flows down the organizational chain but up it too.

The other fun fact was that not only was the source code for the whole security stack API's in the wild but also the code for generating all the various certificates etc. Even the code that generated the various OS serial numbers. Product key etc.

So much for a secure Win32 machine. No such thing.

Lots of fun nooks and crannies in the two 300M plus source codebase. The source code for MineSweeper for example. Oh, and IE. Still quite a bit of Spyglass code kicking around. It was the NT4 and Win2k/XP transition codebases. Between the two, plus the DDK you had a complete build. Did partial builds as an experiment and as it all seemed to be in there but could not be arsed to build the whole thing.

Closed source code has a legitimate place in the market. As a developer, if I manage to code an application that has a market to sell to, I do not see any interest for me in posting the code on GitHub or anywhere else because that would remove any incentive to pay me for the application.

If, however, I want to create an application with the firm intention of giving away the code to ensure maximum adoption, I have the freedom of doing so.

On the other hand, I firmly believe that closed source is not the way to go in future for creating operating systems. Our computing platforms must be managed by things we can trust, and the only way to trust them is to have them based on open-source platforms.

Open-source platforms that will run the applications we need or want, whatever source the code is.

As for giving the owner root, on a PC I totally agree because I've been using one since the first IBM PC 8086. On a consumer item though, I can totally understand that no manufacturer wants to do that because customer complaints are already hard enough without allowing the clueless lusers the ability to royally fuck their hardware up and them come back complaining - which we all know they will do.

Re: The dangers of a monoculture ..

Put a hardware switch on - great, now you can NEVER fix a bug in the bootloader.

Encrypt everything with a unique key? You still need to store the key somewhere and then decrypt and execute pretty much the same code for everything. The key being different doesn't help. Pretty much this is the TPM solution. It doesn't stop things being hacked, it just makes support, troubleshooting and repairs/replacement almost impossible (there's a reason that your Apple store will tend to bin your phone and just give you another of the same model).

None of that stops people finding flaws in the bootloader, attacking it, thereby getting access to things they shouldn't and using that to subvert the computer.

Re: The dangers of a monoculture ..

The benefits of an open source monoculture.

Imagine the freedom if android had a near 100% monopoly, where it didn't matter who you got your handset from, all your apps and data would just work... You don't like Samsung's 2018 model, then fine buy a sony or LG..

That's where we a today, and it s great. The only losers are apple owners, getting shatfted at every opportunity by apple, charging multiple times for the same app on different types of devices simply because they can...

Re: For now, don't panic.

Explain or step out of the airlock.

w h a t

Re: Sigh....Secrecy is not Security

Sorry, what is valid for cryptographic algorithms is not valid for any piece of code. In cryptography you still have a secret that is the key(s).

In many other fields, part of the security is exactly not knowing exactly how it works, because you have bot a "simple" data like a key able to protect it all.

Never extrapolate something outside its context - it may cease to be valid.

Re: Sigh....Secrecy is not Security

That's only true if secrecy is the ONLY security. If secret code becomes public you are no worse off than if it had always been public. If it stays secret you have an extra layer of difficulty for people to try to find exploits.