SlideShare a Scribd company logo

Jailbreaking iOS

Download as KEY, PDF
K
Kai Aras

The document discusses jailbreaking iOS devices. It explains that jailbreaking removes security restrictions to allow installation of unauthorized third-party apps. It describes various jailbreaking tools and techniques, including exploiting vulnerabilities in the bootrom, iBoot, and kernel to bypass signature checks and install Cydia for managing third-party apps. Specific jailbreaking methods covered include the web-based Star jailbreak and the PC-based greenpois0n jailbreak.

Technology
1 of 92
Jailbreaking iOS How an iPhone breaks free Kai Aras - CSM Stuttgart Media University
What is iOS ? • Apples Operating System for iPhone, iPodTouch and iPad • Based on Mac OSX • Latest release 4.2.1
What is a Jailbreak ?
What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications.
What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution
What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution • makes you play angry birds for free...
Why does it exist ? • Closed Platform • Software Distribution controlled by Apple (walled garden) • 3rd party developers cannot modify system components • 3rd party developers can only use public APIs • people enjoy hacking things ;)
What about the name - Jailbreak ? • seems to be originated in first hackers breaking out of the so called chroot jail.
What can be done with a JB ?
What can be done with a JB ? • Install software that is unsupported by Apple.
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers)
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device.
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration.
What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration. • Install pirated software ☹
A state of the art prison iOS Hardware and Software Design
iOS Hardware Architecture
iOS Hardware Architecture Application Processor
iOS Hardware Architecture Application Processor iOS User interaction Applications ...
iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor
iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor NucleusOS Radio communication
iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA power managment
iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA controls power managment sim/net-lock !
iOS Security Architecture
iOS Security Architecture • Sandboxing
iOS Security Architecture • Sandboxing • Memory protection
iOS Security Architecture • Sandboxing • Memory protection • Code signing
iOS Security Architecture • Sandboxing • Memory protection • Code signing • Encryption
Sandboxing • NAND Flash • FTL : converts logical partitions to NAND flash architecture • looks like Block Device / (RO) (System Partition) /private/var (RW) (User Partition) • System Partition / (RO) Block Device User Partition /private/var FTL NAND
Sandboxing / (RO) /private/var (RW) • (System Partition) (User Partition) System Partition read only Block Device • 3rd party lives on user partition FTL • Apps run as mobile user NAND • Kernel signature checks executables in systemcall execve()
Memory Protection • W^X Policy • a page is either writable or executable but never both! • Non-executable stack & heap • No ASLR! -> ROP
Code Signing • implemented inside the Kernel • Kernel signature checks executables in systemcall execve() • Kernel stored on System Partition (kernelcache) • Kernel is signature checked before being loaded.
Encryption • Everything is encrypted • Hardware AES Engine • Keys derived from hardware keys GID-key UID-key • Possible to use Jailbreak tools e.g. Syringe to use the hardware engine
iOS Boot Sequence • Normal Boot • Recovery Mode • DFU Mode
Normal Boot LLB Bootrom (Low Level iBoot Kernel Application Bootloader) NOR NOR NAND NAND signature signature signature signature check check check check
DFU Mode LLB Bootrom (Low Level iBoot Kernel Application Bootloader) minimal iBoot Bootrom iBSS iBEC Kernel Ramdisk
Recovery Mode LLB Bootrom (Low Level iBoot Kernel Bootloader) signature signature Kernel check check Ramdisk
Attacking the chain of trust LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust (cannot be fixed) attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust (cannot be fixed) attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust (cannot be fixed) attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Attacking the chain of trust (cannot be fixed) attack here attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Breaking free LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Breaking free 1. Patch out all the signature checks LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
Breaking free 1. Patch out all the signature checks 2. Install Cydia to manage unsigned 3rd Cydia party applications LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
How it’s done
How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload
How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability
How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks
How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks • install cydia to allow installation of unsigned 3rd party applications.
Star (jailbreakme.com)
Star (jailbreakme.com) • Web based Jailbreak
Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP)
Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari
Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari • then exploits IOSurface Kernel extension (via ROP)
Star 1 Payload 1 2 Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2
Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2 7. Install libraries and install Cydia
greenpois0n
greenpois0n • PC based Jailbreak
greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*)
greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit)
greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit)
greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit) • Injection vector: Bootloader communication (DFU Mode)
greenpois0n Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk Loader.app
greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk 5. install loader.app Loader.app
Conclusion • Fun from a technical perspective • Actually useful for only a few (Unlockers, Developers) • Mostly used for the wrong purposes • Crapware like themes and custom sms sounds • Software pirating
more in the final paper... slides available at http://blog.010dev.com
Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone protected area contains: encrypted lock-state
Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
Unlocking signature signature check check 2. unlock on-the-fly by constantly overriding netlock checks in firmware Bootrom Bootloader Firmware (Nucleus OS) ROM NOR X seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware
Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware Nucleus OS seczone NOR Baseband Processor
Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware iOS Nucleus OS seczone NOR UART Application Processor Baseband Processor
Unlocking 2. unlock on-the-fly run deamon process on by constantly overriding netlock application processor checks in firmware exploit code execution * (requires jailbreak) vulnerabilities to override netlock „on-the-fly“ unlockd iOS Nucleus OS X seczone NOR UART Application Processor Baseband Processor

Recommended

iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreaking
Varun Luthra
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slides
Kai Aras
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 

Recommended

iOS jailbreaking
iOS jailbreakingiOS jailbreaking
iOS jailbreaking
Varun Luthra
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 
Mobile Security Assessment: 101
Mobile Security Assessment: 101Mobile Security Assessment: 101
Mobile Security Assessment: 101
wireharbor
 
Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]Dark Side of iOS [SmartDevCon 2013]
Dark Side of iOS [SmartDevCon 2013]
Kuba Břečka
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slides
Kai Aras
 
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash CourseCrikeyCon 2015 - iOS Runtime Hacking Crash Course
CrikeyCon 2015 - iOS Runtime Hacking Crash Course
eightbit
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
Subhransu Behera
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
Gonzalo Parra
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
mgianarakis
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
Jason Haddix
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
n|u - The Open Security Community
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
Ömer Coşkun
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
RyanISI
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Yandex
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
Urvashi Kataria
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
Eric Monti
 
a quick Introduction to PyPy
a quick Introduction to PyPya quick Introduction to PyPy
a quick Introduction to PyPy
Kai Aras
 
Jail breaking
Jail breakingJail breaking
Jail breaking
Rokkam Reddy
 

More Related Content

What's hot

iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
JongWon Kim
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
eightbit
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
Andreas Kurtz
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
Satish b
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
eightbit
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
Salesforce Developers
 

What's hot (20)

Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Iphone Presentation for MuMe09
Iphone Presentation for MuMe09Iphone Presentation for MuMe09
Iphone Presentation for MuMe09
 
iOS Application Penetation Test
iOS Application Penetation TestiOS Application Penetation Test
iOS Application Penetation Test
 
Ruxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration TestingRuxmon April 2014 - Introduction to iOS Penetration Testing
Ruxmon April 2014 - Introduction to iOS Penetration Testing
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applications
 
OWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration TestingOWASP Melbourne - Introduction to iOS Application Penetration Testing
OWASP Melbourne - Introduction to iOS Application Penetration Testing
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 
iOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for BeginnersiOS Application Penetration Testing for Beginners
iOS Application Penetration Testing for Beginners
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
Security Best Practices for Mobile Development
Security Best Practices for Mobile DevelopmentSecurity Best Practices for Mobile Development
Security Best Practices for Mobile Development
 
Toorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for ThatToorcon 2010: IPhone Rootkits? There's an App for That
Toorcon 2010: IPhone Rootkits? There's an App for That
 

Viewers also liked

a quick Introduction to PyPy
a quick Introduction to PyPya quick Introduction to PyPy
a quick Introduction to PyPy
Kai Aras
 
63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi
63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi
63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi
Matic Kunaver
 
Triangulación
TriangulaciónTriangulación
Triangulación
nAyblancO
 

Viewers also liked (20)

a quick Introduction to PyPy
a quick Introduction to PyPya quick Introduction to PyPy
a quick Introduction to PyPy
 
Jail breaking
Jail breakingJail breaking
Jail breaking
 
Presentation on iOS
Presentation on iOSPresentation on iOS
Presentation on iOS
 
Apple iOS
Apple iOSApple iOS
Apple iOS
 
iOS (Vulner)ability
iOS (Vulner)abilityiOS (Vulner)ability
iOS (Vulner)ability
 
iOS Version History: A Visual Timeline
iOS Version History: A Visual TimelineiOS Version History: A Visual Timeline
iOS Version History: A Visual Timeline
 
Introduction to iOS
Introduction to iOSIntroduction to iOS
Introduction to iOS
 
63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi
63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi
63080008-MATIC_KUNAVER-Samodejno_prepoznavanje_obraznih_izrazov_na_iOS_platformi
 
Cocoaheads Stockholm 2014-02: Writing your own jailbreak tweak
Cocoaheads Stockholm 2014-02: Writing your own jailbreak tweakCocoaheads Stockholm 2014-02: Writing your own jailbreak tweak
Cocoaheads Stockholm 2014-02: Writing your own jailbreak tweak
 
iOS
iOSiOS
iOS
 
iOS Architecture and MVC
iOS Architecture and MVCiOS Architecture and MVC
iOS Architecture and MVC
 
Apple iOS - A modern way to mobile operating system
Apple iOS - A modern way to mobile operating systemApple iOS - A modern way to mobile operating system
Apple iOS - A modern way to mobile operating system
 
History of iOS
History of iOSHistory of iOS
History of iOS
 
Multiverse theory powerpoint final
Multiverse theory powerpoint finalMultiverse theory powerpoint final
Multiverse theory powerpoint final
 
Apple iOS Report
Apple iOS ReportApple iOS Report
Apple iOS Report
 
Ios operating system
Ios operating systemIos operating system
Ios operating system
 
Haptic Technology #Manoj_Rockstar
Haptic Technology #Manoj_RockstarHaptic Technology #Manoj_Rockstar
Haptic Technology #Manoj_Rockstar
 
Triangulación
TriangulaciónTriangulación
Triangulación
 
Data mining fp growth
Data mining fp growthData mining fp growth
Data mining fp growth
 
Triangulation
Triangulation Triangulation
Triangulation
 

Similar to Jailbreaking iOS

You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
Francisco Ribeiro
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
Cigarette VS Bubble Gum
Cigarette VS Bubble GumCigarette VS Bubble Gum
Cigarette VS Bubble Gum
Naruenart
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
RootedCON
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
hakersinfo
 
108484130 pod2g-jailbreak-techniques-wwjc-2012
108484130 pod2g-jailbreak-techniques-wwjc-2012108484130 pod2g-jailbreak-techniques-wwjc-2012
108484130 pod2g-jailbreak-techniques-wwjc-2012
wtreterte
 
13.30 hr Hebinck
13.30 hr Hebinck13.30 hr Hebinck
13.30 hr Hebinck
Themadagen
 

Similar to Jailbreaking iOS (20)

You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Deep Dive into WinRT
Deep Dive into WinRTDeep Dive into WinRT
Deep Dive into WinRT
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Cigarette VS Bubble Gum
Cigarette VS Bubble GumCigarette VS Bubble Gum
Cigarette VS Bubble Gum
 
SDN
SDNSDN
SDN
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Android and Intel Inside
Android and Intel InsideAndroid and Intel Inside
Android and Intel Inside
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !Android and ios cracking, hackintosh included !
Android and ios cracking, hackintosh included !
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Mobile Showcase Moblin2
Mobile Showcase Moblin2Mobile Showcase Moblin2
Mobile Showcase Moblin2
 
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
Eloi Sanfélix y Javier Moreno - Hardware hacking on your couch [RootedCON 2012]
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Game Development for Nokia Asha Devices with Java ME #1
Game Development for Nokia Asha Devices with Java ME #1Game Development for Nokia Asha Devices with Java ME #1
Game Development for Nokia Asha Devices with Java ME #1
 
Mobile operating systems
Mobile operating systemsMobile operating systems
Mobile operating systems
 
108484130 pod2g-jailbreak-techniques-wwjc-2012
108484130 pod2g-jailbreak-techniques-wwjc-2012108484130 pod2g-jailbreak-techniques-wwjc-2012
108484130 pod2g-jailbreak-techniques-wwjc-2012
 
13.30 hr Hebinck
13.30 hr Hebinck13.30 hr Hebinck
13.30 hr Hebinck
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
It's Assembler, Jim, but not as we know it: (ab)using binaries from embedded ...
 
Android architechture
Android architechtureAndroid architechture
Android architechture
 

More from Kai Aras

OpenAmi - a short Introduction
OpenAmi - a short IntroductionOpenAmi - a short Introduction
OpenAmi - a short Introduction
Kai Aras
 
Projektdokumentation Kai Aras Ss08
Projektdokumentation Kai Aras Ss08Projektdokumentation Kai Aras Ss08
Projektdokumentation Kai Aras Ss08
Kai Aras
 

More from Kai Aras (6)

Design patterns - Singleton&Command
Design patterns - Singleton&CommandDesign patterns - Singleton&Command
Design patterns - Singleton&Command
 
OpenAmi - a short Introduction
OpenAmi - a short IntroductionOpenAmi - a short Introduction
OpenAmi - a short Introduction
 
Projektdokumentation Kai Aras Ss08
Projektdokumentation Kai Aras Ss08Projektdokumentation Kai Aras Ss08
Projektdokumentation Kai Aras Ss08
 
Sounddesign - Pi - Kai Aras - WS08/09
Sounddesign - Pi - Kai Aras - WS08/09Sounddesign - Pi - Kai Aras - WS08/09
Sounddesign - Pi - Kai Aras - WS08/09
 
Algorythm
AlgorythmAlgorythm
Algorythm
 
Virtual Reality - Tracking Applications
Virtual Reality - Tracking ApplicationsVirtual Reality - Tracking Applications
Virtual Reality - Tracking Applications
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Jailbreaking iOS

  • 1. Jailbreaking iOS How an iPhone breaks free Kai Aras - CSM Stuttgart Media University
  • 2. What is iOS ? • Apples Operating System for iPhone, iPodTouch and iPad • Based on Mac OSX • Latest release 4.2.1
  • 3. What is a Jailbreak ?
  • 4. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications.
  • 5. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution
  • 6. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution • makes you play angry birds for free...
  • 7. Why does it exist ? • Closed Platform • Software Distribution controlled by Apple (walled garden) • 3rd party developers cannot modify system components • 3rd party developers can only use public APIs • people enjoy hacking things ;)
  • 8. What about the name - Jailbreak ? • seems to be originated in first hackers breaking out of the so called chroot jail.
  • 9. What can be done with a JB ?
  • 10. What can be done with a JB ? • Install software that is unsupported by Apple.
  • 11. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes
  • 12. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers)
  • 13. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device.
  • 14. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration.
  • 15. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration. • Install pirated software ☹
  • 16. A state of the art prison iOS Hardware and Software Design
  • 18. iOS Hardware Architecture Application Processor
  • 19. iOS Hardware Architecture Application Processor iOS User interaction Applications ...
  • 20. iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor
  • 21. iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor NucleusOS Radio communication
  • 22. iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA power managment
  • 23. iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA controls power managment sim/net-lock !
  • 26. iOS Security Architecture • Sandboxing • Memory protection
  • 27. iOS Security Architecture • Sandboxing • Memory protection • Code signing
  • 28. iOS Security Architecture • Sandboxing • Memory protection • Code signing • Encryption
  • 29. Sandboxing • NAND Flash • FTL : converts logical partitions to NAND flash architecture • looks like Block Device / (RO) (System Partition) /private/var (RW) (User Partition) • System Partition / (RO) Block Device User Partition /private/var FTL NAND
  • 30. Sandboxing / (RO) /private/var (RW) • (System Partition) (User Partition) System Partition read only Block Device • 3rd party lives on user partition FTL • Apps run as mobile user NAND • Kernel signature checks executables in systemcall execve()
  • 31. Memory Protection • W^X Policy • a page is either writable or executable but never both! • Non-executable stack & heap • No ASLR! -> ROP
  • 32. Code Signing • implemented inside the Kernel • Kernel signature checks executables in systemcall execve() • Kernel stored on System Partition (kernelcache) • Kernel is signature checked before being loaded.
  • 33. Encryption • Everything is encrypted • Hardware AES Engine • Keys derived from hardware keys GID-key UID-key • Possible to use Jailbreak tools e.g. Syringe to use the hardware engine
  • 34. iOS Boot Sequence • Normal Boot • Recovery Mode • DFU Mode
  • 35. Normal Boot LLB Bootrom (Low Level iBoot Kernel Application Bootloader) NOR NOR NAND NAND signature signature signature signature check check check check
  • 36. DFU Mode LLB Bootrom (Low Level iBoot Kernel Application Bootloader) minimal iBoot Bootrom iBSS iBEC Kernel Ramdisk
  • 37. Recovery Mode LLB Bootrom (Low Level iBoot Kernel Bootloader) signature signature Kernel check check Ramdisk
  • 38. Attacking the chain of trust LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 39. Attacking the chain of trust attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 40. Attacking the chain of trust (cannot be fixed) attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 41. Attacking the chain of trust (cannot be fixed) attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 42. Attacking the chain of trust (cannot be fixed) attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 43. Attacking the chain of trust (cannot be fixed) attack here attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 44. Breaking free LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 45. Breaking free 1. Patch out all the signature checks LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 46. Breaking free 1. Patch out all the signature checks 2. Install Cydia to manage unsigned 3rd Cydia party applications LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  • 48. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload
  • 49. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability
  • 50. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks
  • 51. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks • install cydia to allow installation of unsigned 3rd party applications.
  • 53. Star (jailbreakme.com) • Web based Jailbreak
  • 54. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP)
  • 55. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari
  • 56. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari • then exploits IOSurface Kernel extension (via ROP)
  • 57. Star 1 Payload 1 2 Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  • 58. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  • 59. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  • 60. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 5
  • 61. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5
  • 62. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5
  • 63. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2
  • 64. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2 7. Install libraries and install Cydia
  • 66. greenpois0n • PC based Jailbreak
  • 67. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*)
  • 68. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit)
  • 69. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit)
  • 70. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit) • Injection vector: Bootloader communication (DFU Mode)
  • 71. greenpois0n Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 72. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 73. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 74. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 75. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 76. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS Payload iBoot Kernel Ramdisk Loader.app
  • 77. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload iBoot Kernel Ramdisk Loader.app
  • 78. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk iBoot Kernel Ramdisk Loader.app
  • 79. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk iBoot Kernel Ramdisk Loader.app
  • 80. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel Ramdisk Loader.app
  • 81. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache Ramdisk Loader.app
  • 82. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk Loader.app
  • 83. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk 5. install loader.app Loader.app
  • 84. Conclusion • Fun from a technical perspective • Actually useful for only a few (Unlockers, Developers) • Mostly used for the wrong purposes • Crapware like themes and custom sms sounds • Software pirating
  • 85. more in the final paper... slides available at http://blog.010dev.com
  • 86. Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone protected area contains: encrypted lock-state
  • 87. Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
  • 88. Unlocking signature signature check check 2. unlock on-the-fly by constantly overriding netlock checks in firmware Bootrom Bootloader Firmware (Nucleus OS) ROM NOR X seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
  • 89. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware
  • 90. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware Nucleus OS seczone NOR Baseband Processor
  • 91. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware iOS Nucleus OS seczone NOR UART Application Processor Baseband Processor
  • 92. Unlocking 2. unlock on-the-fly run deamon process on by constantly overriding netlock application processor checks in firmware exploit code execution * (requires jailbreak) vulnerabilities to override netlock „on-the-fly“ unlockd iOS Nucleus OS X seczone NOR UART Application Processor Baseband Processor