The backup

At the top, if the contents of your phone are important, make sure to back them up before jailbreaking.

The escape concept

Apple jailbreak refers to the iOS security startup chain vulnerability, which prevents the authentication component in the trust chain from being granted the iOS maximum ROOT access.

When booting an iOS device, the system first reads the initialization instructions, known as the system boot program, from the read-only ROM. (In fact, all operating systems boot through this step, although the process is slightly different.) The boot ROM contains apple’s official, authoritative public key, which verifies the signature of the underlying boot loader (LLB) and, once validated, starts the system. The LLB will do some basic work and then verify the second level boot program, iBoot. After the iBoot is enabled, the device can enter recovery mode or start the kernel. After the iBoot verifies the validity of the kernel signature, the entire startup program starts to load the driver, detect the device, and start the system daemon process. This chain of trust ensures that all system components are written, signed, and distributed by Apple, not by third parties,

Jailbreaking works by attacking this chain of trust. The authors of all jailbreaking tools need to find a vulnerability in this chain of trust to disable the authentication component in the chain of trust. Obtain the maximum iOS ROOT permission.

Jailbreak can be divided into the following two types according to different conditions:

  • jailbreak

The so-called perfect jailbreak is after cracking the iOS system vulnerability, every time the system restart can automatically call the injected malicious code, to destroy the security verification, and get ROOT permission again.

  • Imperfect escape

The so-called imperfect jailbreak means that after jailbreak the system, the security chain is not completely cracked, and some information or functions are not applied well; For example; After the shutdown must be connected to the jailbreak software to boot; Or reboot will invalidate the jailbreak; Such a escape is called an “imperfect escape.”

The jailbreak tool

Three jailbreak tools are recommended

  • Checkra1n jailbreak, it can jailbreak devices before A9 processor version, there is a catch: the cable connecting the phone to the computer can not use type-C, because the new computer only has Type-C, so it is conditional to use the converter to switch to normal USB

  • Unc0ver jailbreak is a common tool. It is an IPA package that needs to be re-signed and installed on the phone. Monkey is not recommended

  • Odyssey Jailbreak, I have not used this tool, I am not very clear

Cydia Jailbreak store APP will appear after checkra1n and UNC0ver jailbreak successfully, and Sileo store APP will appear after Odyssey is successful

How do I remotely connect my phone

  • In the firstCydiaThe OpenSSH plug-in is installed in
  • Put the computer on the same Wifi network as the jailbroken phone
  • Use SSH to log in to the jailbroken phone. The format is:
Root: the user with the highest permission can access any file
# Mobile user: a common user who can only access /var/mobile in the directory of the changed userSSH Username @IP address of the mobile phone# such asSSH [email protected]# then asks you to enter your password, which defaults to Alpine
Copy the code

No-password login:

  • First generate a pair of private keys:ssh-keygen
  • Copy the newly generated public key to the phone:SSH - copy - id [email protected]
  • Then you can log in without a password

Every login write IP write is annoying, you can write a script, or in SSH directory to create a config file, and then alias

Using IP to log in to the phone is easily affected by the network and the response is not timely, so we can log in by mapping the USB connection. The default port for SSH login is 22. You can log in by SSH -p 22 [email protected]. So we need to put

There are two ways to do this:

  • usbmuxdThis is my own Internet search, I do not use this method
  • iproxyFor example, if you want to map port 2222, write thisiproxy 2222 22If the command does not exist, you may need to install the following:brew install libimobiledevice

Final summary command:

# Generate key pair
ssh-keygen -t rsa -P

# Copy the public key to the ~/.ssh/authorized_keys file and enter the default password alpine
ssh-copy-id -i $HOME/. SSH/id_rsa. Pub [email protected]Test whether password-free login is requiredSSH [email protected]# Usb mapping link to port 2222 (larger than 10000 is recommended)
iproxy 2222 22
If command not found is displayed, install the tool first
brew install libimobiledevice

Open a new terminal window to log in to the phone
ssh root@localhost -p 2222


$HOME/. SSH /config = $HOME/. SSH /config = $HOME/.
Host ip5s
Hostname localhost
User root
Port 2222
Save the config file and quickly log in
ssh ip5s

# done

Copy the code

How to hit a shell

Apps submitted to the App Store for publication are officially protected and encrypted, which ensures that the apps running on the machine are approved by Apple and can also manage software licenses. For apps that have been encrypted by the App Store, there is no Hopper or class-dump method to decompile static analysis. In reverse analysis, the encrypted binaries need to be decrypted to perform static analysis, a process known as shell breaking.

  • Static shell smashing: Static shell smashing is to decrypt the shell application without running the shell application after having mastered and understood the encryption algorithm and logic of the shell application. Static unhulling is difficult, and cryptographers may switch to more advanced and complex encryption techniques if they find that the application has been cracked

  • Dynamic shell smashing: Dynamic shell smashing is to start with the image of the executable program running in the process memory space to dump the contents of the memory to realize the shell processing. This approach is relatively simple to implement and doesn’t matter what encryption technique is used.

In terms of difficulty, we all use dynamic shell smashing. At the moment, there are three types of cracking tools, two of which are old and not used very much nowadays, namely Clutch and Dumpdecrypted. I won’t go into the details here.

The frida-ios-dump tool is used to break the shell. The frida-ios-dump tool is used to break the shell