I hope I can share good things with more people in Nuggets.


Prison break

Most of you who use An Apple device or do iOS development have probably heard of jailbreaking, but what exactly is jailbreaking?

IOS Jailbreaking is a technique used to gain Root permissions on iOS devices. The Root permission on iOS devices is generally not open. With Root permission, iOS file systems that could not be viewed before the jailbreak can also be viewed.

Jailbreaking on iOS is similar to getting root privileges on Android, which means getting root privileges on your system and doing something more advanced.

Before the above hand idle an iPhone4s, idle on his jailbreak, do not know how to operate behind, the mobile phone turned into a white apple (on the white screen, can not enter the system), finally can not, can only upgrade the system, this mobile phone is also a waste.

The tool used was Pangu Jailbreak, and the jailbreak was iOS 7.x. Now that iOS has been upgraded to 11.x, many apps and games no longer support systems below iOS8, the security of the system is getting better and better, and the difficulty of jailbreaking has also increased. Currently, the highest jailbreaking system in the market should be 10.3.x system (as of the time of writing this article).

In order to analyze and learn some good App design, I simply bought an iPhone6s Plus to jailbreak, so the following sharing is based on this phone.

Jailbreak tools and devices

[1]. IPhone6s Plus, iOS10.3.2 [2]. Jailbreak tools: Ace assistant and doubleh3lix.ipa

Start jailbreaking by installing the doubleH3lix on your PC, running the doubleH3lix app, clicking the Jailbreak button and waiting for the jailbreak to restart.

When the phone reboots, Cydia is still there. This is not a perfect jailbreak, in other words, there is no actual iOS jailbreak.

If you find that the phone power off or restart Cydia on a flash back to open, use doubleH3lix to re-escape can, if still not need to re-use the Aisi assistant.

See jailbreak tutorial for 64-bit devices iOS 10-10.3.3 Ace Assistant one click jailbreak tutorial.

Installing aN iOS Terminal

Install terminal, search MTerminal in Cydia, install.

After installing the terminal tool, open the terminal and enter

su
Copy the code

The default password for root is alpine. Change your password and press Enter.

To be safe, change the default password alpine.

passwd
Copy the code

If you enter the same password consecutively, the new password is changed.

Configure SSH

Configuring and using SSH is the basis of jailbreaking, so that you can access the iOS system from the terminal of MacOS. Various shell commands make you feel comfortable, so try to complete this step. Just imagine, the experience of text input on the mobile phone is not good, and you still need to type commands in the terminal on the iPhone device… Can’t endure!

IOS 10 jailbreak comes with SSH, so you don’t need to go to Cydia to download and install OpenSSH separately.

After jailbreaking, many people found that OpenSSH was also installed, but once connected to the iPhone, the connection failed or even reported an error. If you already have OpenSSH installed and can’t use SSH to operate your iPhone, read on.

[1]. Open Cydia, search for OpenSSL and Openssh respectively, and uninstall OpenSSL and Openssh respectively.

[2]. Open the Cydia, add source: http://cydia.ichitaso.com/test

add

[3]. Search for DropBear in Cydia and install it.

After the installation is successful, the SSH function can be used normally.

Open the MacOS terminal and start using SSH to connect to your iPhone.

[1]. Check the IP address of the iPhone, for example, mine is 192.168.1.105.

[2]. Using a MacOS terminal, type:

SSH [email protected]Copy the code

If successful, it will warn you whether to continue by typing yes, and then prompt you to enter the root password. If you haven’t changed your password, alpine. The operation process is as follows:

The authenticity of host '192.168.1.105 (192.168.1.105)' can't be established. ECDSA key fingerprint is SHA256:ANF7Cvc1yM/ZdaHyz9V1EHjG115cylIcHWyOzCL+kzs. Are you sure you want to  continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.105'(ECDSA) to the list of known hosts. [email protected]'s password: 
Copy the code

Before jailbreaking iOS 10.2.x to modify the corresponding configuration file, you can use SSH function, but in iOS10.3.x does not help, if you are iOS 10.2.x jailbroken phone, you can refer to the appendix at the end of this article to configure SSH, which is also the result of my previous practice.

usbmuxd

The above is to connect the iPhone device through wifi. In fact, there is another way, which is to use the tool USBMUXD to connect the iPhone device through USB (phone data cable to connect the computer) without wifi. USB connection has faster response speed than wifi, and there is no network environment limitation.

Usbmuxd can only be used if your phone can use SSH properly. Otherwise, usBMUxD cannot save you.

[1]. The MacOS usbmuxd installation

brew install usbmuxd
Copy the code

[2]. Use the built-in tool iProxy of USBMUxD.

Iproxy can quickly connect to iPhone and other operations.

MacOS only supports 4-bit port numbers. The default port 22 of iPhone needs to be mapped to a 4-bit port number on Mac, which is equivalent to establishing a channel between Mac and iPhone. So let’s just install it.

iproxy 5678 22
waiting for connection
Copy the code

This command maps SSH port 22 on the device to port 5678 on the PC. If you want to communicate with SSH port 22 on the device, you can directly communicate with local port 5678.

Waiting for connection: The two ports are ready to communicate, leave the current terminal window (if closed, the communication between the ports will be stopped), create another terminal and enter the default password root.

SSH -p 5678 [email protected]Copy the code

The execution process is as follows, similar to the above operation through wifi.

The authenticity of host '[127.0.0.1] : 5678 (5678) (127.0.0.1) :' can't be established. ECDSA key fingerprint is SHA256:ANF7Cvc1yM/ZdaHyz9V1EHjG115cylIcHWyOzCL+kzs. Are you sure you want to  continue connecting (yes/no)? yes Warning: Permanently added '(127.0.0.1) : 5678'(ECDSA) to the list of known hosts. [email protected]'s password: 
Copy the code

Next, you’ll be able to use shell commands on your iPhone from a MacOS terminal. If you do not use SSH, enter exit to exit SSH.

The appendix

[1].ios 10.2.x Jailbreak using SSH.

Change the root password first.

IOS 10.2 (jailbroken) comes with OpenSSH. You do not need to re-install OpenSSH, but you need to modify a file to use it.

Install MTERMINAL on the mobile phone, run su, enter the root password, and run:

ps aux|grep dropbear
Copy the code

If you see a process without Dropbear, execute:

/usr/local/bin/dropbear -F -R -p 22
Copy the code

You can then connect, and reboot will still work.

If you see a progression like this:

/usr/local/bin/dropbear -F -R -p 127.0.0.1:22
Copy the code

This means that only data lines can be redirected to connect to SSH, If you want to switch to WIFI access, Need to modify/private/var/containers/Bundle/Application/D9185B6D – EA9E – 4678 – B59C – BF43DEFE67BF/yalu102. App/dropbear. Take a plist parameters 127.0.0.1:22 change to 22 to save and restart the phone.

[2]. UseusbmuxdUnable to use SSH

SSH -p 5678 [email protected] an error message is displayed as follows:

ssh_exchange_identification: read: Connection reset by peer
Copy the code

This situation is generally not the correct use of the cable to connect the Mac computer, use the cable to connect the Mac computer can solve the problem.

Jailbreak series

Practices based on iOS10.3.1.

  • IOS reverse: Dumpdecrypted

  • IOS reverse: Shell smashing

  • IOS Reverse: View the system file directory and structure

  • IOS Reverse: Jailbreak using SSH

  • Dumpdecrypted: Exports header files


Someday, you will thank yourself for your efforts