Starting from this article, let’s take the iPhone jailbreak as a starting point and sort out the various technologies and knowledge points used in iOS reverse development.
About jailbreak (jailBreak)
By exploiting the vulnerability in the secure boot chain of the iOS system, the components responsible for verification in the chain of trust are prohibited. Obtain the maximum authority ROOT authority of the iOS system .
iOS system security boot chain
When we start a device with the iOS system installed, the iOS system will first read the initialization command from the read-only ROM, which is the boot program of the system (in fact, all operating systems have to go through this step when starting, just process is slightly different). This boot ROM contains the public key of Apple's official certification authority, which will verify the signature of the low-level boot loader (LLB), and once the verification is passed, the system will be started. LLB does some groundwork and then verifies the second-level bootloader iBoot. Once iBoot starts, the device can enter recovery mode or boot the kernel. After iBoot verifies the legitimacy of the kernel signature, the entire boot process begins to go on the right track: loading the driver, detecting the device, and starting the system daemon. This chain of trust will ensure that all system components are officially written, signed, and distributed by Apple, and cannot come from third-party organizations. The working principle of jailbreak is to attack this chain of trust. Authors of all jailbreak tools need to find loopholes in this chain of trust, thereby disabling components responsible for verification in the chain of trust. Obtain the maximum authority ROOT authority of the iOS system .
Perfect Jailbreak or Not Perfect Jailbreak
According to the different conditions of jailbreak, it can be divided into the following two kinds of jailbreak:
-
Perfect jailbreak
The so-called perfect jailbreak means that after cracking the iOS system vulnerability, every time the system restarts, the injected malicious code can be automatically invoked to break the security verification and obtain ROOT permission again. -
Imperfect jailbreak
The so-called imperfect jailbreak means that after jailbreaking the system, the security chain is not completely broken, and some information or functions are not applied well; for example, after shutting down, you must connect the jailbreak software to boot; or rebooting will cause the jailbreak to fail. ; Such a jailbreak is called an "imperfect jailbreak".
So how to jailbreak it?
We usually use unc0ver jailbreak to jailbreak our mobile phone. Currently supports iOS11-iOS14.8 system.
- Through the above website we can
unc0vergetipathe installation package of . - We can create a new project through Xcode and run it on our mobile phone
- Next, we create a new folder
APPnamed , and putipathe package under this folder. - Then come here we can get the re-signature script file named appSign .
- In the Xcode project configuration -> Build Phases -> Add New Run Script Phase -> the content is ./appSign.sh.
- Run the project again. After the app starts, stop debugging. At this time,
unc0verit is already running on our mobile phone. - Open
unc0ver, set in the upper left corner, check itInstall OpenSSH, and after returning, click to start the jailbreak (it may get stuck in the middle, just try a few more times).
After executing the above steps, our mobile phone is already jailbroken.
Next, we can install some commonly used software in reverse development through Cydia.
Install common software
After the phone is jailbroken, we can add commonly used sources to Cydia, such as:
- Bee Source apt.cydiami.com
- Lei Fengyuan atp.abcydia.com
OpenSSH
OpenSSH is a free and open source implementation of the SSH (Secure SHell) protocol. The SSH protocol can be used for remote control, or to transfer files between computers. \
SSH
SSH是一种网络协议,用于计算机之间的加密登录。
1995年,芬兰学者Tatu Ylonen设计了SSH协议,将登录信息全部加密,成为互联网安全的一个基本解决方案,迅速在全世界获得推广,目前已经成为Linux系统的标准配置。
OpenSSH
它是一款软件,应用非常广泛。
越狱的过程中我们已经安装好了OpenSSH, 这时,我们就可以通过电脑的终端来连接手机。
- 打开手机的wifi,找到手机的IP
- 我们通过
ssh 用户名@手机IP地址连接到手机 如: ssh [email protected] - 默认密码 alpine
iOS下有两个用户 root、mobile
- Root用户:最高权限用户,可以访问任意文件
- Mobile用户:普通用户,只能访问改用户目录下文件/var/Mobile
SSH的相关操作
- 删掉保存的服务器地址的key
- ssh-keygen –R 服务器IP地址(当SSH登录手机,手机就是服务器)
- know_hosts文件:用于保存SSH登录服务器所接受的key -在系统~/.ssh 目录中保存
- ssh_host_rsa_key.pub文件:作为SSH服务器发送给连接者的key
- 在系统/etc/ssh 目录中保存
- Config文件
- 在~/.ssh 目录下创建一个config文件。内部可以配置ssh登录的别名。
• Host 别名
• Hostname IP地址
• User 用户名
• Port 端口号\
Password-free login
Password-free login is also called "public key login", the principle is that the user stores his public key on the remote host. When logging in, the remote host will send a random string to the user, and the user will encrypt it with his private key and send it back. The remote host decrypts with the pre-stored public key. If successful, it proves that the user is credible, and the login is allowed directly without requiring a password.
- Copy the public key to the SSH server $ssh-copy-id username@server IP
USB login
Apple has a service called usbmuxd, this service is mainly used USBto implement multiple TCPconnections on the protocol.
Iproxy port mapping
- Install libimobiledevice tools
$ brew install libimobiledevice
- mapped port
- iproxy 12345 22
We can configure the port mapping of the USB to map the 12345 port to the 22 port; so that it can be used ssh -p 12345 root@localhostto connect to the mobile phone.
Well, that's all for today, today we are just a start, next, we will use the jailbroken mobile phone to start the reverse research.