IOS Reverse (10)- Jailbreak! Prison break! Log in to the mobile phone through remote connection
December 20, 2023
by Manikya Goswami
No Comments
The previous nine articles explained in detail the principle of re-signing APP, how to dynamically inject library, and various debugging techniques without jailbreaking. These features are already powerful enough to help us analyze and change each other’s apps in most cases. This is enough for some apps without security awareness in the development process. But as long as the other party has to protect the APP, then re-signature seems a little weak chicken. For example: 1, after logging in wechat, they will warn you the next day. 2, after re-signing Youku, you can see that they have similar illegal APP Log…
So at this time we need to APP, and even the operating system has a greater control, and the basis of all this is jailbreak!
Hackers always imagine what they would do if they were a developer, and then they can figure out where to start. In the same way, developers have to imagine what hackers would do to take action. And then, it’s a recursive game. Take jailbreak detection for example. At first everyone just needed to check whether Cydia was installed or not, but hackers said, ‘I can do it without Cydia.’ Developers also said, then you must use MobileSubstrate, bash, SSH, I go to check the mobile phone has installed these tools. But what’s the use? I’ll go around whatever you decide. When class-dump became popular and function symbols were exposed, developers went to great lengths to hide their sensitive function code. Hackers also know what’s wrong with class-dump, and new ways of searching have sprung up. That said, when a hacker becomes popular, it’s no longer a defense that has hackers howling at ‘really hard work’. Hackers know developers are cleaning up their data, so I hook memset to read it before you do. Developer: I’ll just write it to the hard drive and delete it! Haven’t you heard of file recovery?
The above from the big guy read qian soliloquy.
So, this is a whole new chapter, and it’s really the beginning of the reverse, so let’s enjoy the security and defense in the iOS world.
First, what is prison break
To understand jailbreaking, it is necessary to understand the iOS startup process. IOS boot is divided into three modes:
Normal boot
Recovery guide
Firmware Update Boot
We will only cover “normal mode” here, but you can guess the other two modes.
1. Graphic start chain
2. Explain the starting chain
Step 1. Press the power supply
Well, forget about that.
Step 2. Boot ROM
All iOS devices are integrated with a code called Boot Room in the processor. This code is burned to a piece of storage in the processor and read only, so its integrity is guaranteed. There are problems with that, too, and if the Boot Room itself has a security hole, it can’t be fixed with an update. The function of the Boot Room is mainly responsible for initializing the device and bootloading the low-level Bootloader LLB (Low Level Bootloader). During this process, the Boot Room uses the Apple Root CA Public certificate to verify the LLB. If the verification succeeds, the iBoot is loaded. If the verification fails, the iBoot fails to start. Boot Room plays an important role in the Boot process. Due to the read-only feature of Boot Room, Android cannot be installed on iPhone. Similarly, you can’t install iOS without a Boot Room on any device other than the iPhone.
Step 3. Low Level Bootloader
The LLB (Low Level Bootloader) is different from the Boot ROM. It is not embedded in the device but in iOS. Like other files, it is an encrypted IMG3 file and will be updated with iOS updates. The LLB is responsible for starting the higher level Bootloader, which also needs to be verified. If the verification fails, the startup fails. If the verification succeeds, the startup continues.
Step 4, iBoot
IBoot is the primary loader during the boot process and is responsible for loading the operating system kernel. This step also needs to be verified. If the verification fails, the startup fails. If the verification succeeds, the startup continues.
The iBoot is loaded in memory at address 0x5FF00000. It has a built-in HFS+ driver, direct access to the iOS file system, and multithreading support. An iBoot will normally spawn two threads: A main thread is responsible for displaying the Apple logo at startup and booting the system according to the Settings of the auto-boot and boot-Command environment variables (boot-Command is set to FSboot in normal boot mode). The boot process can be delayed according to the bootdelay environment variable. One is the UART Reader thread, which Apple might use for debugging, and which is basically idle. In normal boot mode, iBoot invokes the fsboot() function to mount the iOS system partition, locate the kernel, prepare the number of devices, and boot the system. If the boot fails, the iBoot enters the recovery mode.
If the verification fails in any of the preceding three steps, the startup fails.
Step 5, launchd && daemon and agent && SpringBoard
Launchd launches the daemon and agents from launchd, followed by SpringBoard, the desktop application.
3. What is jailbreak?
Under Windows, the highest user is Admin. Admin can do anything on the computer, even delete itself. Under Linux, the user with the highest permission is Root. Under Android, there is a saying Root, in fact, it means to obtain Root permission. IOS is a derivative of Unix, which is basically similar to Linux, so jailbreaking is basically getting Root privileges.
In combination with the verification process of the security boot chain mentioned above, what jailbreak needs to do is to find the vulnerabilities in the three verification steps and bypass the verification, so as to disable the components responsible for verification in the trust chain and finally obtain Root permission.
There are two types of jailbreak:
Perfect jailbreak: After cracking the iOS system vulnerability, every time the system restarts, it can automatically call the injected malicious code to destroy the security verification and gain ROOT permission again.
Imperfect jailbreak: after jailbreaking the system, the security chain is not completely broken, some information or function application is not good; For example; After the shutdown must be connected to the jailbreak software boot; Or reboot will cause the jailbreak to fail; Such jailbreaks are called “imperfect jailbreaks.”
Currently, perfect jailbreak only supports iOS10 or lower devices, so if you need to play, I suggest you get an iOS9 iPhone5s (salty fish can be shipped within 300 yuan),
Two, how to escape
Since Pangu and PP assistant released the first jailbreak tools in China, jailbreak has become extremely simple. One key operation, no pain no worry. I used ace’s assistant to break out of prison.
Then according to their own mobile phone system to choose the corresponding version of the jailbreak tool. Follow the prompts to perform the corresponding simple operations, and wait for the automatic restart. If Cydia can be opened after the restart, the jailbreak is successful. Of course, there is also a possibility of jailbreak failure, repeat the steps of the above jailbreak.
Tips: I often fail to jailbreak when the temperature of the phone body is high, so if you have the same situation, wait until the temperature of the phone body is low and try again, you should be successful.
Iii. Recommended plug-ins (required)
2. Lei Feng Source: apt.abcydia.com 3. Frida: build.frida.re
Apple File Conduit “2” : Obtain access to the phone’s root directory
OpenSSH: A free open source implementation of the Secure SHell (SSH) protocol. The SSH protocol family can be used for remote control or to transfer files between computers.
Frida: Then you need to make the shell smashing tool
4. Remotely log in to the mobile phone
1. Wifi connection
With the OpenSSH plug-in installed in the previous step, Wifi login is easy. First, ensure that the mobile phone and PC are connected in a Wifi environment. Find the current IP address in the network Settings of the mobile phone, for example, 172.20.122.108
// SSH username @mobile phone IP address$ssh[email protected]Copy the code
If you delete the corresponding IP, you will get the same prompt next time.
Then you need to enter the user password. The default password for root is alpine. If you have security requirements for your phone, it is recommended to change this password and remember it. Otherwise, don’t change it, or you’ll have to brush it if you forget it.
If something like the picture below appears, it means equal success
2. Alias Wifi
Using SSH [email protected] every time is a bit cumbersome and bad for memory. For example, if we name 172.20.122.108 user root as 5s(assuming my jailbroken phone is 5s), then we can use the following command to connect to 172.20.122.108:
$ssh 5s
Copy the code
Method: Create a new file named config in the directory known_hosts mentioned above (Vim is recommended because of permissions).
Host 5s
HostName 172.20.122.108
User root
Port 22
Copy the code
If another mobile phone is connected to another IP address, multiple hosts are required, and so on:
Host 5s
HostName 172.20.122.108
User root
Port 22
Host 6s
Hostname 172.20.122.163
User root
Port 22
Copy the code
3. USB connection
As mentioned above, there is one prerequisite to understand USB connection before logging in to your phone with wifi: the default loopback address is 127.0.0.1. The local address can also be represented by localhost. The default USB port number is 22, so under the premise that the USB port number is open, we just need to connect port 22.
Download USBMUxD from Sukimashita or Github.
We only need to use the tcprelay.py and usbmux.py files in the python-client folder.
Terminal CD go to this directory, open port 22 and map it to port 12345 (any port, provided it is not occupied), run the following command:
python tcprelay.py -t 22:12345
Copy the code
Then create a terminal window to connect to port 12345 of this local IP address:
127.0.0.1 is a new IP address, so there will be a new public key save prompt, the same yes, enter the password again:
4. USB script connection
This command is simple, but every time you need to enter the tcprelay.py directory, it will be troublesome, so you can set the environment variable first, then write the corresponding script, and then you can use USB connection in any directory.
1. Set environment variables
Skip this step if you have done this with my previous articles. Create a folder named FYSHELL under the user’s root directory to store all custom script files. FYSHELL can be stored anywhere you want, but the location of the directory will be used below. Bash_profile file found in user’s root directory, add FYSHELL environment variable (can’t find.bash_profile file? Then create a new one, recommend using Vim to create, to avoid permission issues). As shown in the figure below, the author now has two environment variables FYSHELL and CY
2. USB port script
Copy the previous python-client folder into FYSHELL. Create a usbconnect. sh file and enter:
Python /Users/ username /FYShell/python-client/tcprelay.py -t 22:12345Copy the code
3. Login script
Create the loginusb_5s. sh file and enter the following content:
Then use these two scripts directly to complete the TASK of LOGGING in to the mobile phone by USB!
sh usbConnect.sh
Copy the code
// After creating a port, run the sh loginusb_5s. sh commandCopy the code
5. SSH Login principles
As my 5s is not by my side, I changed to an iPhone6 to continue…
SSH login or the use of RSA encryption:
Generate a bunch of public and private keys on the remote server (iPhone)
Send the public key to the customer (Mac)
Each time a Mac logs in to an iPhone, the Mac encrypts the password using the local public key and sends the password to the iPhone. The iPhone decrypts the password using the private key. The login succeeds.
1. Save public keys
The public key preservation mentioned above is actually the first step mentioned here.
2, validation,
Use the terminal to view the validation
View the public key of the iPhone itself
cat ssh_host_rsa_key.pub
Copy the code
View the public key saved on the Mac
cat known_hosts
Copy the code
The public key is the same in both places, so it can be verified.
3. Man-in-the-middle attacks
Man-in-the-middle attack is the result of failed authentication during SSH login. Change the RSA public key saved locally to a letter at will. If I try to log in to my mobile phone again by changing the last letter f to E, the message of man-in-the-middle attack will appear.
I’ll change it back after I validate it.
6. No secret login
Password-free login is also called public key login. The principle is that users store their public keys on a remote host. At login, the remote host sends the user a random string, which the user encrypts with his private key, and sends back. The remote host decrypts the user with a stored public key. If successful, the user is trusted and is allowed to log in without requiring a password.
1. Generate public and private RSA keys locally (MAC)
Run the SSH command to check whether the public and private RSA keys have been generated on the local MAC address. If id_rsa and id_rsa.pub exist, you do not need to generate them again. If you force a new one, it will invalidate where the pair of keys were previously used.
If no, run the following command to generate a new one
ssh-keygen
Copy the code
And then something happens, so I leave it blank, and I just hit enter. SSH contains id_rsa and id_rsa.pub.
2. Send the local (MAC) public key to the server (iPhone)
ssh-copy-id root@localhost -p 12345
Copy the code
You’ll need to enter the iPhone user’s password once (default is Alpine).
Then, try logging in again and you will find that you do not need to enter a password to log in.
Similar to the previous step to verify SSH, check the public keys used by the two ends.
It’s also verified.
Seven,
If jailbreaking is the beginning of the reverse, then Mac remote login to the phone is the door of the reverse, only inside, to explore. All subsequent operations, such as: shell breaking, dynamic analysis, dynamic debugging, dynamic library injection are inseparable from this step, so if you can, I hope we can follow this article to do it again. There might be a hole, but that’s what makes it memorable!
The next article will cover how to crack an APP after logging in to your phone.
