Abstract image of a woman sitting on books and studying on a laptop

Jailbreaking iOS

K
Kai Aras

The document discusses jailbreaking iOS devices. It explains that jailbreaking removes security restrictions to allow installation of unauthorized third-party apps. It describes various jailbreaking tools and techniques, including exploiting vulnerabilities in the bootrom, iBoot, and kernel to bypass signature checks and install Cydia for managing third-party apps. Specific jailbreaking methods covered include the web-based Star jailbreak and the PC-based greenpois0n jailbreak.

Technology
1 of 92
Downloaded 669 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
Jailbreaking iOS How an iPhone breaks free Kai Aras - CSM Stuttgart Media University
What is iOS ? • Apples Operating System for iPhone, iPodTouch and iPad • Based on Mac OSX • Latest release 4.2.1
What is a Jailbreak ?
What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications.
What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution
What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution • makes you play angry birds for free...
Why does it exist ? • Closed Platform • Software Distribution controlled by Apple (walled garden) • 3rd party developers cannot modify system components • 3rd party developers can only use public APIs • people enjoy hacking things ;)
What about the name - Jailbreak ? • seems to be originated in first hackers breaking out of the so called chroot jail.
What can be done with a JB ?
What can be done with a JB ? • Install software that is unsupported by Apple.
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers)
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device.
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration.
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration. • Install pirated software ☹
A state of the art prison iOS Hardware and Software Design
iOS Hardware Architecture
iOS Hardware Architecture Application Processor
iOS Hardware Architecture Application Processor iOS User interaction Applications ...
iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor
iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor NucleusOS Radio communication
iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA power managment
iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA controls power managment sim/net-lock !
iOS Security Architecture
iOS Security Architecture • Sandboxing
iOS Security Architecture • Sandboxing • Memory protection
iOS Security Architecture • Sandboxing • Memory protection • Code signing
iOS Security Architecture • Sandboxing • Memory protection • Code signing • Encryption
Sandboxing • NAND Flash • FTL : converts logical partitions to NAND flash architecture • looks like Block Device / (RO) (System Partition) /private/var (RW) (User Partition) • System Partition / (RO) Block Device User Partition /private/var FTL NAND
Sandboxing / (RO) /private/var (RW) • (System Partition) (User Partition) System Partition read only Block Device • 3rd party lives on user partition FTL • Apps run as mobile user NAND • Kernel signature checks executables in systemcall execve()
Memory Protection • W^X Policy • a page is either writable or executable but never both! • Non-executable stack & heap • No ASLR! -> ROP
Code Signing • implemented inside the Kernel • Kernel signature checks executables in systemcall execve() • Kernel stored on System Partition (kernelcache) • Kernel is signature checked before being loaded.
Encryption • Everything is encrypted • Hardware AES Engine • Keys derived from hardware keys GID-key UID-key • Possible to use Jailbreak tools e.g. Syringe to use the hardware engine
iOS Boot Sequence • Normal Boot • Recovery Mode • DFU Mode
Normal Boot LLB Bootrom (Low Level iBoot Kernel Application Bootloader) NOR NOR NAND NAND signature signature signature signature check check check check
DFU Mode LLB Bootrom (Low Level iBoot Kernel Application Bootloader) minimal iBoot Bootrom iBSS iBEC Kernel Ramdisk
Recovery Mode LLB Bootrom (Low Level iBoot Kernel Bootloader) signature signature Kernel check check Ramdisk
Attacking the chain of trust LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust (cannot be fixed) attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust (cannot be fixed) attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust (cannot be fixed) attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust (cannot be fixed) attack here attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Breaking free LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Breaking free 1. Patch out all the signature checks LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Breaking free 1. Patch out all the signature checks 2. Install Cydia to manage unsigned 3rd Cydia party applications LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
How it’s done
How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload
How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability
How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks
How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks • install cydia to allow installation of unsigned 3rd party applications.
Star (jailbreakme.com)
Star (jailbreakme.com) • Web based Jailbreak
Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP)
Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari
Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari • then exploits IOSurface Kernel extension (via ROP)
Star 1 Payload 1 2 Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2 7. Install libraries and install Cydia
greenpois0n
greenpois0n • PC based Jailbreak
greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*)
greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit)
greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit)
greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit) • Injection vector: Bootloader communication (DFU Mode)
greenpois0n Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk 5. install loader.app Loader.app
Conclusion • Fun from a technical perspective • Actually useful for only a few (Unlockers, Developers) • Mostly used for the wrong purposes • Crapware like themes and custom sms sounds • Software pirating
more in the final paper... slides available at http://blog.010dev.com
Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone protected area contains: encrypted lock-state
Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
Unlocking signature signature check check 2. unlock on-the-fly by constantly overriding netlock checks in firmware Bootrom Bootloader Firmware (Nucleus OS) ROM NOR X seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware
Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware Nucleus OS seczone NOR Baseband Processor
Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware iOS Nucleus OS seczone NOR UART Application Processor Baseband Processor
Unlocking 2. unlock on-the-fly run deamon process on by constantly overriding netlock application processor checks in firmware exploit code execution * (requires jailbreak) vulnerabilities to override netlock „on-the-fly“ unlockd iOS Nucleus OS X seczone NOR UART Application Processor Baseband Processor

More Related Content

PPTX
iOS jailbreaking
Varun Luthra
 
PPTX
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
PPTX
Pentesting iPhone applications
Satish b
 
PPT
Mobile Security Assessment: 101
wireharbor
 
PDF
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
PDF
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
PDF
from Realtime Operating systems to unlocking iPhones in less than 30 slides
Kai Aras
 
PDF
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
iOS jailbreaking
Varun Luthra
 
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Pentesting iPhone applications
Satish b
 
Mobile Security Assessment: 101
wireharbor
 
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
Kai Aras
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 

What's hot (20)

PDF
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
PDF
Iphone Presentation for MuMe09
Gonzalo Parra
 
PDF
iOS Application Penetation Test
JongWon Kim
 
PDF
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
PDF
Yow connected developing secure i os applications
mgianarakis
 
PDF
I Want More Ninja – iOS Security Testing
Jason Haddix
 
PDF
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
PPTX
Hacking and securing ios applications
Satish b
 
PDF
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
PDF
Attacking and Defending Apple iOS Devices
Tom Eston
 
PDF
iOS Application Penetration Testing
n|u - The Open Security Community
 
PDF
iOS Application Security
Egor Tolstoy
 
PDF
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
PPT
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
PPT
iOS Application Penetration Testing for Beginners
RyanISI
 
PPTX
Pentesting iOS Applications
jasonhaddix
 
PDF
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Yandex
 
PPTX
iOS Security and Encryption
Urvashi Kataria
 
PDF
Security Best Practices for Mobile Development
Salesforce Developers
 
PDF
Toorcon 2010: IPhone Rootkits? There's an App for That
Eric Monti
 
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Iphone Presentation for MuMe09
Gonzalo Parra
 
iOS Application Penetation Test
JongWon Kim
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Yow connected developing secure i os applications
mgianarakis
 
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
Hacking and securing ios applications
Satish b
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Attacking and Defending Apple iOS Devices
Tom Eston
 
iOS Application Penetration Testing
n|u - The Open Security Community
 
iOS Application Security
Egor Tolstoy
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
iOS Application Penetration Testing for Beginners
RyanISI
 
Pentesting iOS Applications
jasonhaddix
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Yandex
 
iOS Security and Encryption
Urvashi Kataria
 
Security Best Practices for Mobile Development
Salesforce Developers
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Eric Monti
 
Ad

Viewers also liked (20)

PPT
a quick Introduction to PyPy
Kai Aras
 
PPT
Jail breaking
Rokkam Reddy
 
PPTX
Presentation on iOS
Harry Lovylife
 
PPTX
Apple iOS
Chetan Gowda
 
PDF
iOS (Vulner)ability
Subho Halder
 
PDF
iOS Version History: A Visual Timeline
kinvey
 
PPT
Introduction to iOS
Pradyumna Doddala
 
PDF
63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi
Matic Kunaver
 
PDF
Cocoaheads Stockholm 2014-02: Writing your own jailbreak tweak
Joachim Bengtsson
 
PPTX
iOS
Yasmine Sherif EL-Adly
 
PDF
iOS Architecture and MVC
Marian Ignev
 
PPTX
Apple iOS - A modern way to mobile operating system
Dhruv Patel
 
PDF
History of iOS
pyro2927
 
PPTX
Multiverse theory powerpoint final
Joseph_Dimacali
 
PDF
Apple iOS Report
Chetan Gowda
 
PPTX
Ios operating system
Khaja Moiz Uddin
 
PPTX
Haptic Technology #Manoj_Rockstar
Manoj Magatapalli
 
PPTX
Triangulación
nAyblancO
 
PPTX
Data mining fp growth
Shihab Rahman
 
PDF
Triangulation
Institute of Surveying and Mapping
 
a quick Introduction to PyPy
Kai Aras
 
Jail breaking
Rokkam Reddy
 
Presentation on iOS
Harry Lovylife
 
Apple iOS
Chetan Gowda
 
iOS (Vulner)ability
Subho Halder
 
iOS Version History: A Visual Timeline
kinvey
 
Introduction to iOS
Pradyumna Doddala
 
63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi
Matic Kunaver
 
Cocoaheads Stockholm 2014-02: Writing your own jailbreak tweak
Joachim Bengtsson
 
iOS
Yasmine Sherif EL-Adly
 
iOS Architecture and MVC
Marian Ignev
 
Apple iOS - A modern way to mobile operating system
Dhruv Patel
 
History of iOS
pyro2927
 
Multiverse theory powerpoint final
Joseph_Dimacali
 
Apple iOS Report
Chetan Gowda
 
Ios operating system
Khaja Moiz Uddin
 
Haptic Technology #Manoj_Rockstar
Manoj Magatapalli
 
Triangulación
nAyblancO
 
Data mining fp growth
Shihab Rahman
 
Triangulation
Institute of Surveying and Mapping
 
Ad

Similar to Jailbreaking iOS (20)

PDF
You suck at Memory Analysis
Francisco Ribeiro
 
PPTX
Deep Dive into WinRT
Sasha Goldshtein
 
PDF
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
PDF
Cigarette VS Bubble Gum
Naruenart
 
PDF
SDN
Nimit Shishodia
 
PDF
IOT Exploitation
Cysinfo Cyber Security Community
 
PPTX
Android and Intel Inside
Intel Developer Zone Community
 
PDF
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
PPTX
Android and ios cracking, hackintosh included !
Veduruparthy Bharat
 
PDF
Android Internals
Opersys inc.
 
PDF
Mobile Showcase Moblin2
Tomas Bennich
 
PDF
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 
PPTX
Android village @nullcon 2012
hakersinfo
 
PPTX
Game Development for Nokia Asha Devices with Java ME #1
Marlon Luz
 
PDF
Mobile operating systems
Nicolas Demetriou
 
PDF
108484130 pod2g-jailbreak-techniques-wwjc-2012
wtreterte
 
PDF
13.30 hr Hebinck
Themadagen
 
PPT
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
PDF
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
Priyanka Aash
 
PPT
Android architechture
Yojana Nanaware
 
You suck at Memory Analysis
Francisco Ribeiro
 
Deep Dive into WinRT
Sasha Goldshtein
 
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
Cigarette VS Bubble Gum
Naruenart
 
SDN
Nimit Shishodia
 
IOT Exploitation
Cysinfo Cyber Security Community
 
Android and Intel Inside
Intel Developer Zone Community
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
veerababu penugonda(Mr-IoT)
 
Android and ios cracking, hackintosh included !
Veduruparthy Bharat
 
Android Internals
Opersys inc.
 
Mobile Showcase Moblin2
Tomas Bennich
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 
Android village @nullcon 2012
hakersinfo
 
Game Development for Nokia Asha Devices with Java ME #1
Marlon Luz
 
Mobile operating systems
Nicolas Demetriou
 
108484130 pod2g-jailbreak-techniques-wwjc-2012
wtreterte
 
13.30 hr Hebinck
Themadagen
 
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
Priyanka Aash
 
Android architechture
Yojana Nanaware
 

More from Kai Aras (6)

PDF
Design patterns - Singleton&Command
Kai Aras
 
PDF
OpenAmi - a short Introduction
Kai Aras
 
DOC
Projektdokumentation Kai Aras Ss08
Kai Aras
 
PPT
Sounddesign - Pi - Kai Aras - WS08/09
Kai Aras
 
PPTX
Algorythm
Kai Aras
 
PPT
Virtual Reality - Tracking Applications
Kai Aras
 
Design patterns - Singleton&Command
Kai Aras
 
OpenAmi - a short Introduction
Kai Aras
 
Projektdokumentation Kai Aras Ss08
Kai Aras
 
Sounddesign - Pi - Kai Aras - WS08/09
Kai Aras
 
Algorythm
Kai Aras
 
Virtual Reality - Tracking Applications
Kai Aras
 

Recently uploaded (20)

PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
Edge AI and Vision Alliance
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PPTX
TEXTILE technology diploma scope and career opportunities
kriti38
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
“A New Era of 3D Sensing: Transforming Industries and Creating Opportunities,...
Edge AI and Vision Alliance
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
Configure Apache Mutual Authentication
Antonino Piraino
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
TEXTILE technology diploma scope and career opportunities
kriti38
 

Jailbreaking iOS

  • 1. Jailbreaking iOS How an iPhone breaks free Kai Aras - CSM Stuttgart Media University
  • 2. What is iOS ? • Apples Operating System for iPhone, iPodTouch and iPad • Based on Mac OSX • Latest release 4.2.1
  • 3. What is a Jailbreak ?
  • 4. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications.
  • 5. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution
  • 6. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution • makes you play angry birds for free...
  • 7. Why does it exist ? • Closed Platform • Software Distribution controlled by Apple (walled garden) • 3rd party developers cannot modify system components • 3rd party developers can only use public APIs • people enjoy hacking things ;)
  • 8. What about the name - Jailbreak ? • seems to be originated in first hackers breaking out of the so called chroot jail.
  • 9. What can be done with a JB ?
  • 10. What can be done with a JB ? • Install software that is unsupported by Apple.
  • 11. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes
  • 12. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers)
  • 13. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device.
  • 14. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration.
  • 15. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration. • Install pirated software ☹
  • 16. A state of the art prison iOS Hardware and Software Design
  • 18. iOS Hardware Architecture Application Processor
  • 19. iOS Hardware Architecture Application Processor iOS User interaction Applications ...
  • 20. iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor
  • 21. iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor NucleusOS Radio communication
  • 22. iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA power managment
  • 23. iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA controls power managment sim/net-lock !
  • 26. iOS Security Architecture • Sandboxing • Memory protection
  • 27. iOS Security Architecture • Sandboxing • Memory protection • Code signing
  • 28. iOS Security Architecture • Sandboxing • Memory protection • Code signing • Encryption
  • 29. Sandboxing • NAND Flash • FTL : converts logical partitions to NAND flash architecture • looks like Block Device / (RO) (System Partition) /private/var (RW) (User Partition) • System Partition / (RO) Block Device User Partition /private/var FTL NAND
  • 30. Sandboxing / (RO) /private/var (RW) • (System Partition) (User Partition) System Partition read only Block Device • 3rd party lives on user partition FTL • Apps run as mobile user NAND • Kernel signature checks executables in systemcall execve()
  • 31. Memory Protection • W^X Policy • a page is either writable or executable but never both! • Non-executable stack & heap • No ASLR! -> ROP
  • 32. Code Signing • implemented inside the Kernel • Kernel signature checks executables in systemcall execve() • Kernel stored on System Partition (kernelcache) • Kernel is signature checked before being loaded.
  • 33. Encryption • Everything is encrypted • Hardware AES Engine • Keys derived from hardware keys GID-key UID-key • Possible to use Jailbreak tools e.g. Syringe to use the hardware engine
  • 34. iOS Boot Sequence • Normal Boot • Recovery Mode • DFU Mode
  • 35. Normal Boot LLB Bootrom (Low Level iBoot Kernel Application Bootloader) NOR NOR NAND NAND signature signature signature signature check check check check
  • 36. DFU Mode LLB Bootrom (Low Level iBoot Kernel Application Bootloader) minimal iBoot Bootrom iBSS iBEC Kernel Ramdisk
  • 37. Recovery Mode LLB Bootrom (Low Level iBoot Kernel Bootloader) signature signature Kernel check check Ramdisk
  • 38. Attacking the chain of trust LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 39. Attacking the chain of trust attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 40. Attacking the chain of trust (cannot be fixed) attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 41. Attacking the chain of trust (cannot be fixed) attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 42. Attacking the chain of trust (cannot be fixed) attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 43. Attacking the chain of trust (cannot be fixed) attack here attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 44. Breaking free LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 45. Breaking free 1. Patch out all the signature checks LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 46. Breaking free 1. Patch out all the signature checks 2. Install Cydia to manage unsigned 3rd Cydia party applications LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 48. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload
  • 49. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability
  • 50. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks
  • 51. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks • install cydia to allow installation of unsigned 3rd party applications.
  • 53. Star (jailbreakme.com) • Web based Jailbreak
  • 54. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP)
  • 55. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari
  • 56. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari • then exploits IOSurface Kernel extension (via ROP)
  • 57. Star 1 Payload 1 2 Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  • 58. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  • 59. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  • 60. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 5
  • 61. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5
  • 62. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5
  • 63. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2
  • 64. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2 7. Install libraries and install Cydia
  • 66. greenpois0n • PC based Jailbreak
  • 67. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*)
  • 68. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit)
  • 69. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit)
  • 70. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit) • Injection vector: Bootloader communication (DFU Mode)
  • 71. greenpois0n Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 72. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 73. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 74. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 75. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 76. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 77. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload iBoot Kernel Ramdisk Loader.app
  • 78. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk iBoot Kernel Ramdisk Loader.app
  • 79. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk iBoot Kernel Ramdisk Loader.app
  • 80. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel Ramdisk Loader.app
  • 81. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache Ramdisk Loader.app
  • 82. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk Loader.app
  • 83. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk 5. install loader.app Loader.app
  • 84. Conclusion • Fun from a technical perspective • Actually useful for only a few (Unlockers, Developers) • Mostly used for the wrong purposes • Crapware like themes and custom sms sounds • Software pirating
  • 85. more in the final paper... slides available at http://blog.010dev.com
  • 86. Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone protected area contains: encrypted lock-state
  • 87. Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
  • 88. Unlocking signature signature check check 2. unlock on-the-fly by constantly overriding netlock checks in firmware Bootrom Bootloader Firmware (Nucleus OS) ROM NOR X seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
  • 89. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware
  • 90. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware Nucleus OS seczone NOR Baseband Processor
  • 91. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware iOS Nucleus OS seczone NOR UART Application Processor Baseband Processor
  • 92. Unlocking 2. unlock on-the-fly run deamon process on by constantly overriding netlock application processor checks in firmware exploit code execution * (requires jailbreak) vulnerabilities to override netlock „on-the-fly“ unlockd iOS Nucleus OS X seczone NOR UART Application Processor Baseband Processor