Part 2: Step-by-step iPhone Setup for iOS Research (via @bizzybarney)

in ,

This is a follow-on to the previous post showing how to setup your Mac for iOS testing. If you haven’t read over that one - this article draws assumptions that your Mac is setup in a certain way, or that you know what you’re doing otherwise. Feel free to go read that first, I’ll wait..

Alright, now that we are all on the same page, let’s tackle the second piece and get your iPhone setup for research and testing. This guide will be very similar to the last in its simplicity, with the assumption that you are not a command line expert. But before we move on, let me repeat - THIS IS FOR RESEARCH AND TESTING.  Please don’t read this and think it is a great idea to jailbreak, load binaries onto, or otherwise press a bunch of buttons on evidentiary devices in criminal cases, or devices being inspected for civil or corporate investigations. I’m not saying you can’t do it, but make sure you understand what you are doing to the device, can explain that to someone else, and understand there are certain risks involved with jailbreaking a device.

You will need to have setup your iOS device with an AppleID and general account stuff before you can start this process. The assumption for this guide is your iDevice is at the home screen where you can use it - meaning it has been setup with whatever account you intend to use. Real you, fake you, real someone else - just kidding (but seriously don’t be an a-hole).

Jailbreak Time

If you are unfamiliar with jailbreaking - read this carefully; don’t skim it. 

This is not hacking. We are gaining privileged access to the root of the file system. Apple has setup your iDevice so it’s not easy to break things. When we jailbreak using publicly available jailbreak methods, we accept a certain risk that some harm could come to the device or its data during the jailbreak process. Please don’t mistake that warning for distrust in the FREE work the amazing jailbreak teams do to support the research and security communities. Without the jailbreak folks, mobile forensic research would be significantly diminished. If the jailbreak process goes smoothly (which it will), you now have the ability to break things. There was a time where I was extremely apprehensive about jailbreaking, mostly because I had to get over the fear that by clicking the button to start the jailbreak I might brick my device. While that certainly could happen, I will tell you I have used publicly provided jailbreaks for years now on a myriad of different iDevices and I have never caused any one of those devices to be unusable. 

Before we decide to dive into jailbreaking, you need to understand one very important thing. Your iPhone is a piece of hardware, which has an operating system running on it, and for a jailbreak to be successful it must accommodate both your hardware and OS version. If you want to jailbreak a test device, you need to closely monitor which OS version is currently available vs. which OS version is able to be jailbroken for your piece of hardware. In a perfect world, you want your test device to have the latest version of iOS that is able to be jailbroken. 

A great resource I use to determine which jailbreak method I can use for the hardware and OS version I am trying to jailbreak is https://www.theiphonewiki.com/wiki/Jailbreak.

One device I have is an iPhone 11 Pro on iOS 13.5. This isn’t the ideal test device because it isn’t susceptible to the checkm8 hardware exploit, but it is the newest device available right now. So we are going to start with the more difficult process on the newest iPhone and work towards the easier method on an older iPhone X. When the checkm8 age of iOS exploitation is gone, this method via Cydia Impactor might be the way you will jailbreak - because this is the way it was done prior to checkm8. Every jailbreak is different though, so no need to commit to anything just yet. 

Using the guide from theiphonewiki.com, I scroll down until I find the table containing a row for iOS 13.5 and column for iPhone 11 Pro. I find that my device is able to be jailbroken using unc0ver version 5.2.0. If I was keeping my device’s OS perfectly updated, it would be at iOS 13.6 at the time of writing. There is no jailbreak available for 13.6 right now, so this is why you have to pay attention and only update your OS when a jailbreak is available for the version you are upgrading the device to. You have to be diligent with this to keep your device jailbroken while updating to relevant OS versions. If you are using a personal-use device for your testing, you have to realize that by not keeping your OS updated, you are potentially saying “no thank you” to relevant security patches and new features. 

In a perfect testing scenario where money is no issue, the coffee and pastries are free, and you ride a unicorn to your corner office with a perfect view, you would have an iPhone on each OS version and never upgrade them. You would have a library of all iPhone covering allOS versions, so very specific test scenarios could be achieved - but this is a very expensive approach and is certainly not something I am personally going to do.

unc0ver Jailbreak Method

How to jailbreak using unc0ver via Cydia Impactor for iPhone 11 Pro with A13 processor on iOS version 13.5 (requires Apple Developer account)

If unc0ver is the jailbreak that works for your hardware and OS, here are steps to follow to successfully jailbreak via Cydia Impactor. Note, this method requires you to have a paid Apple Developer account. A paid account costs about $100 per year, so I maintain a dev account for this reason. If you don’t want to sign up for a developer account, there are two other free options listed on the unc0ver.dev page for jailbreaking via “AltStore” or “Xcode + iOS App Signer.” 

You are going to need Cydia Impactor on your Mac for the method I use, but there are other options available. Check unc0ver’s site for other options that are free, but we are going to use Cydia Impactor for this guide. Essentially what we are doing here is side-loading an application onto your iPhone. You aren’t going to find jailbreak applications on Apple’s App Store, so we are going to use Cydia Impactor to push an application onto your test iPhone instead.

1. Go to cydiaimpactor.com and click the download link for Mac OS X. It will download a .dmg (disk image) file.

2. Double click .dmg file then drag and drop Impactor into your Applications folder. Cydia Impactor is now installed. To find it, hold ‘command+space bar’ and use Spotlight Search and type ‘Impactor’ and select the result. You may get a warning that Impactor was downloaded from the internet and could be malicious - yup, got it, thank you Apple. 

3. Download the .ipa for unc0ver - Go to unc0ver.dev and then click “Download v5.3.1” or whatever version it lists at the time you are reading this. This will download the .ipa file which is the application that ultimately jailbreaks the device.

4. With your iPhone connected via USB and Cydia Impactor running, you should see your iPhone’s friendly name and UDID in the top field. In the bottom field it probably says, “install Cydia impactor” which is not what we are doing, ignore that for now and DO NOT PRESS START!

5. Drag the unc0ver .ipa file we previously downloaded into the bottom field of Impactor and drop it there. 

6. After dropping the file, a box pops up and asks for your iTunes email login, enter your Apple Dev account email address and press OK.

7. Apple ID Password box appears:

  • If you don’t have two-factor authentication turned on for the dev account, you can enter your AppleID password here and press OK. 

  • If you enter the AppleID password, but two-factor authentication is turned on and it fails - no big deal. Keep reading, but this is the error you will get.

  • If you do have two-factor authentication turned on, you need to go to appleid.apple.com and login to your dev account. 

  • Once logged in, you will see an account dashboard. Look in the “Security” section where it says “APP-SPECIFIC PASSWORDS” and click “Generate Password…

  • Enter a label for the password you are about to generate - it doesn’t matter at all what you put here. Click “Create.”

  • An app-specific password will be generated. Copy the password and paste it into the password box in Cydia Impactor. Click OK on Cydia Impactor.

8. Cydia Impactor will run through the application installation and should complete without any errors. Once completed, it goes back to the appearance where it displayed the iDevice name, UUID, and “install Cydia Extender”.

9. Check your iPhone for the unc0ver application and Cydia.

10. Open unc0ver application.

11. Select Settings gear in top left of screen. In Settings, toggle (Re)Install Open SSH to ON. This is going to allow us to communicate between our Mac and the iPhone. Select “Done” in top right corner and return to main screen.

12. Press “Jailbreak” button. After an advertisement, you will get a pop-up that says “Jailbreak Completed. No error occurred. The device will now reboot into the jailbroken state.” Press OK and the device will reboot fairly quickly and your device is now jailbroken!

checkra1n Jailbreak Method

The checkra1n jailbreak is a semi-tethered jailbreak based on the checkm8 boot ROM exploit. The checkm8 exploit was discovered and announced in September of 2019. It unveiled a vulnerability that essentially allows jailbreak access to the iPhone 5s, iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus, iPhone SE (1st Gen), iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8 Plus, and iPhone X - regardless of the OS version as long as it is 12.3 or higher. If you are deciding on which iPhone to purchase to dedicate to testing and research, my suggestion would be the iPhone X. Technically the iPhone 8 was released at the same time as the iPhone X, but the iPhone X includes FaceID which the majority of current iPhones employ as their unlock method. If you want to do TouchID specific testing, then perhaps the iPhone 8 or 8 Plus makes more sense. I acquired an iPhone X and an iPhone 8 Plus so I have both available if necessary. If you are buying two test devices, maybe get one of each. Essentially the oldest phones exposed by this vulnerability will be the first ones that Apple drops OS support for. The iPhone X is the “newest” older device with the vulnerable chipset, and therefore will be the last device to be aged out by Apple eventually dropping OS support for it. There are rumblings that Apple may have found a way to combat this vulnerability for iOS 14, but for research devices that you know the passcode to everything should still be fine. 

How to jailbreak using checkra1n for iPhone X with A11 processor on iOS 13.6.1

1. On your Mac, go to checkra.in in a web browser, scroll down and click “Download for macOS” and the checkra1n .dmg file will download.

2. Open your Downloads directory and double-click the checkra1n beta <version>.dmg file. After it opens the disk image, drag the checkra1n application over into the Applications folder.

3. Press “command+space bar” and use Spotlight Search and type “checkra1n” and select the application.

4. You will likely get a warning saying it cannot be opened because the developer cannot be verified. Click Cancel.

5. Click the Apple in the top left corner of your screen, then click System Preferences. Click “Security and Privacy” tab and open it. You will see a message at the bottom of the tab about checkra1n being blocked, click “Open Anyway.” Apple will show another pop-up asking if you’re really sure you want to open it, just say yes and click Open for the 12th time (just kidding). The checkra1n application is now installed on your Mac.

6. Press “command+space bar” and use Spotlight Search and type “checkra1n” again, and select it. This time the application will finally open. Typically you would want to connect your device and make sure it is supported, but for the purposes of showing off what checkra1n is capable of, I upgraded my test device to the latest version of iOS - 13.6.1 (8/21/2020). The window says it isn’t supported. If the OS version is tested and supported, you just simply click “Start” and off it goes. For an unsupported OS version on my iPhone X that is definitely susceptible to the checkm8 exploit, you can click “Options” and check the box beside “Allow untested iOS/iPad)S/tvOS versions.” Then go back to the main screen and click “Start” to make the jailbreak happen.

7. After another warning against running checkm8 on an untested OS version, it advances to a screen saying the device needs to be put into DFU mode. But first it puts the device into Recovery Mode to avoid any file system corruption.

8. The device is placed into Recovery Mode and the checkra1n application displays instructions for putting the device into DFU Mode. You need to follow the instruction in the checkra1n interface explicitly and the device should enter DFU mode. 

  • Click Start.

  • Press and hold the Side and Volume down buttons together (4 seconds)

  • Release the Side button BUT KEEP HOLDING the Volume down button (10 seconds)

9. If done correctly, the device will advance to another screen where the exploit and jailbreak occur. You can release the Volume down button once you get to this screen. The checkra1n interface will advance through a few steps without needing any actions by you. The iPhone will display a black screen with a checkra1n logo and then will boot into the operating system. The checkra1n interface will say “All Done” and you can click “Done” to return to the home screen. Unlock and open the iPhone and you should see the checkra1n application installed. Your device is now jailbroken!

Mac Setup  

iPhone Jailbroken  

Access / Research 🚧 🧰 🚧

Alright we now have a Mac setup and ready, an iPhone in a jailbroken state, and we are finally ready to gain access into the phone and it’s data. What comes next is the fruit of your labor, and what justifies to yourself that you needed to buy the new Mac and random iPhones for testing in the first place! 

Before we start, make sure these last few details are correct:

1. iPhone is connected to Mac via USB

2. iPhone is unlocked and a “Trust” pairing has been made to Mac. When you connect to Mac and unlock the iPhone, you should get a pop-up on the iPhone asking to trust the Mac or not. You must Trust the connection to the Mac.

3. iPhone display is set to never go to sleep. Settings > Display & Brightness > Auto-Lock > Never. If you are copying files from the file system and the device auto-locks, you will potentially get less data because of file permissions that change when the device is locked vs. unlocked.

Ok, let’s connect to the iPhone via Terminal on the Mac! There a few nuances to connecting to the iPhone depending on which jailbreak was used, so I will detail both. For me, I have test devices on unc0ver and checkra1n regularly, so what I am showing you is completely normal as I change between connecting to the different devices on my Mac. We are going to use iproxy to establish a TCP connection between the Mac and your iPhone. This is going to facilitate a shell into the iPhone, so you can surf the file system of your iPhone via your Mac!

1. Open a new Terminal window

2. In the Terminal window:

  • unc0ver - type iproxy 4242 22 and press return

  • checkra1n - type iproxy 4242 44 and press return

Explanation: iproxy is a utility from libimobiledevice that we are using to make a TCP (4242) connection at port #22 or #44. The unc0ver jailbreak is setup to listen on port 22 (standard SSH), and checkra1n listens on port 44.

After pressing return, your Terminal window will say “waiting for connection” with a blinking cursor.

3. Open a second Terminal window. Either right click Terminal in your Dock and select “New Window” or simply click on your first active Terminal window and press command+N to create a new window.

4. In the second Terminal window, for unc0ver and checkra1n: type ssh root@127.0.0.1 -p 4242 and press return

Explanation: ssh is the network protocol we are using to access our device, root is the username and 127.0.0.1 is our local host which is connecting to (-p) port 4242.

  • If this is your first time ever doing this, you will get an authentication message in your second terminal window asking if you are okay with the connection that is being attempted. Skip down to 4.3

  • For me, I am changing from accessing an unc0ver device to a checkra1n device. So I need to make one adjustment before I can make the connection. 

4.1 If you get the error saying there is an “Offending RSA key in /Users/<username>/.ssh/known_hosts:1”, then you need to remove the previous ssh pairing from the known_hosts file so this new device can connect. So if you get this error, it just simply means you already have an SSH known host pairing for 127.0.0.1 -p 4242. To get rid of just that specific pairing, in your second Terminal window type ssh-keygen -R “[127.0.0.1]:4242” and press return. This will save the previous known host pairing to a new file and clear the space for us to use it again. You might find a better way to manage ssh known_hosts, but this is just facilitating what we need to connect iPhones quickly without an intermission for that. (Thanks to Sarah for a non-destructive method here that is easy to follow! For this example I had to break out into a different window to make changes, so the next few photos won’t have this step in sequence.)

4.2 In second Terminal window, type ssh root@127.0.0.1 -p 4242 and press return again. (You can also press the UP arrow in the second terminal window to recall previous commands to not type the same thing again!)

4.3 In the second Terminal window, you will get a message asking if you are sure you want to continue connecting. You have to type yes and press return. You will then be presented with a screen to type a password.

5. In the password line, type alpine and press return. **The letters won’t appear as you type, you aren’t crazy. Well, not in this moment anyway.** The stock passcode to connect to iPhones in this manner is alpine and has been for some time. When I attempted this in my second terminal window, my connection unexpectedly closed. Things like this will happen, it isn’t a big problem. I simply arrowed up and ran my ssh root@127.0.0.1 -p 4242 again and then entered alpine in the password line and it worked just fine!

6. If you see something like “-bash-3.2#” or “Jane’s iPhone#” or whatever - you now have root shell access into your iPhone! Pause for celebration. 

7. In the second terminal window, which is now a shell into your iPhone, type ls -la and press return. You should see a list of the /var/root/ directory and you now have the ability to surf the file system of your iPhone via Terminal! 

This article became quite long, but I think it is important to lay some of these things out in extremely plain, easy to understand ways so that someone not overly confident in certain aspects of the process can arrive at this place. The ability to change directories on the iPhone and look at which files exist in different places, quickly viewing file contents on your screen, extracting out a single file to your Mac, and much much more - that is why we are doing this. 

If you are mildly comfortable with CLI, feel free to explore the file system of the iOS device. If you aren’t, that’s ok! You are slowly getting some exposure and will become more comfortable as we go. Our next step will take us deeper into CLI to address the file system of the iPhone.

Ending Facts: 

Once you achieve the shell into your iPhone, that first Terminal window we opened to run iproxy in essentially can be minimized and forgotten about until you need to connect a device again, or if you have connection issues while testing.

If you used checkra1n, your file system is mounted as Read Only. **If you know what you’re doing, run mount -o rw,union,update / to remount it as Read/Write.**

If you chose to jailbreak your personal device for testing, you have just softened it’s security and are accepting certain risks. You should change your default password from alpine to something of your choosing. If you are doing this, you must first turn the mount command above to mount the file system as Read/Write.  Then, you can change the password by typing passwd and pressing return in the root shell. It will ask you for a new password, then a confirmation, then you can’t forget what you chose! Repeat the process for passwd mobile.

If you want to learn more about how to load a file system monitor, find application directories, and extract specific items from the iPhone instead of doing a backup or using a forensic tool to extract data each time - check back for the next article!

Until then, “Stay classy, forensicators.”