[HN Gopher] Exploiting the iPhone 4
___________________________________________________________________
Exploiting the iPhone 4
Hi HN, author here! For the past three months, I've been
obsessively working on gala, a jailbreak for iOS 4 that currently
targets the iPhone 4. While other jailbreaks for this device, and
this iOS version, already exist, the 'special sauce' of this
jailbreak is that it comes with a 6-part series describing the
building of a jailbreak and the many challenges that arose when
jailbreaking iOS. The series includes interactive visualizations at
every step of exploiting the device - from pulling memory dumps of
the boot ROM to debugging a flashed filesystem image. That said,
this isn't just a bare-bones jailbreak with some writing attached:
gala is a fully-fledged suite that includes a significant Python
application, a Cocoa GUI for end-users, a Rust payload, Cocoa Touch
games to play within the boot environment while the jailbreak
completes, and C utilities that run on-device. This was a lot of
fun, and the journey included lots of milestones: when an iOS
device boots, it does so in discrete stages (boot ROM, then boot
loader, then kernel, etc.). This meant that my experience of
developing this jailbreak also included these milestones, as over
time I successfully compromised and ran each of these stages!
Building this was personally exciting because I used to regularly
make and sell tweaks for jailbroken phones on Cydia. The jailbreaks
themselves always seemed like inscrutable black magic, until now!
I'm really gratified to have finished up this project, and am
excited to put it out into the world. Please feel welcome to have a
look at the code, the writeup, or give it a spin on an old iPhone 4
that you have lying around. I hope you enjoy!
Author : codyd51
Score : 257 points
Date : 2023-10-02 10:27 UTC (12 hours ago)
(HTM) web link (axleos.com)
(TXT) w3m dump (axleos.com)
| malwrar wrote:
| Really enjoyed reading through the first few parts! Cool to
| follow along from this kind of perspective. I too read through
| tons of source code to figure out how other people implement
| things like exploits, fun to see someone else does the same :)
| behnamoh wrote:
| Does this also work on 4s?
| alister wrote:
| I'd also like to know if it works on the 4S.
| sharkjacobs wrote:
| > a jailbreak for iOS 4
|
| presumably not, the 4s launched with iOS 5
| codyd51 wrote:
| Unfortunately, the SecureROM vulnerability that gala exploits
| was patched in the ROMs shipped with the 4s. Therefore, gala
| won't work out-of-the-box with the 4s.
|
| However, a newer boot ROM exploit, checkm8, has become well-
| known in the intervening years. The A5 (that the 4s ships) is
| vulnerable to checkm8, which means that it'd certainly be
| possible to add support for this exploit chain to a project
| like gala!
| Nezteb wrote:
| I've been waiting for years for a project/tool to come along
| that allows me access to an old iPhone 4s (S5L8940) I have
| that is locked with an unknown PIN. I really just want the
| photos on it for nostalgia reasons.
|
| The closest I found at the time was ipwdnfu, but it doesn't
| support the 4s [1].
|
| I had assumed that this meant that checkm8 (which ipwdnfu
| uses/includes) didn't support the 4s either. Is that not the
| case?
|
| [1] https://github.com/axi0mX/ipwndfu/issues/175
| fabiensanglard wrote:
| Do you know if there is similar literature about sim unlocking of
| old iPhones?
| kristofferR wrote:
| This is a good starting point:
| https://www.theiphonewiki.com/wiki/Unlock
| [deleted]
| Thaxll wrote:
| I really like the blog layout.
| [deleted]
| ryanpetrich wrote:
| Thanks for writing this. It takes a deep understanding to explain
| such complicated concepts in an accessible way. Reading it
| brought back fond memories of hacking on jailbreak projects deep
| into the night.
| DHowett wrote:
| This is an outstanding write-up! I'm glad to see you're still
| active in the community :)
| codyd51 wrote:
| Thank you Dustin, cool to see you around!
| dguido wrote:
| Good work, this is super cool!
| codyd51 wrote:
| Thank you Dan! All the best.
| dguido wrote:
| For fun things you can do with a good working jailbreak, check
| out this integrity validator that checks if your phone is free of
| malware by exploiting it: https://github.com/trailofbits/ios-
| integrity-validator
| pronoiac wrote:
| Amnesty International released Mobile Verification Toolkit to
| check your phone for malware, by checking encrypted backups on
| your computer. https://github.com/mvt-project/mvt
| chatmasta wrote:
| TrailOfBits still publishes the iVerify App, which doesn't go
| so far as actually exploiting your phone, but is still a useful
| app to have installed. It will send you a notification when
| there is an iOS update available, and you can configure it to
| remind you to hard reboot your device on some periodic
| schedule. I have it installed and appreciate the reminders to
| reboot.
| KennyBlanken wrote:
| Most of this is built-in to iOS, and there's no need to "hard
| reboot your device on some periodic schedule."
|
| Edit: it appears that all of the application's functions are
| easily done by setting reminders and simple automation using
| built-in iOS apps. This is crapware and I don't know why OP
| is pushing it as so necessary.
| chatmasta wrote:
| Periodically rebooting your device is good practice [0],
| and is even recommended by the NSA [1], in case you're
| infected with malware that was able to achieve arbitrary
| code execution but not able to establish persistence (which
| often requires a separate exploit from whichever exploit
| achieved the initial infection).
|
| The iVerify app also has other features, eg a checklist of
| iOS features that you should disable for your security
| (turning off bluetooth, airdrop, etc.) which the OS does
| not remind you of, because it's busy encouraging you to
| enable them.
|
| [0] https://security.stackexchange.com/a/270906/76104
|
| [1] https://media.defense.gov/2021/Sep/16/2002855921/-1/-1/
| 0/MOB...
| KennyBlanken wrote:
| Everything you described - periodic reminders and
| checklists - can still be done with the stock
| applications.
|
| You can even automate turning off bluetooth and airdrop
| yourself, again, using the built-in automation functions.
|
| So again: what does this 'security' app you're pushing as
| so necessary, do that cannot be done with the OS's built-
| in apps?
|
| Also: can the peanut gallery nonsense about iOS being
| "busy encouraging you to enable" things. Bluetooth is
| only re-enabled if you disable it from the quick panel,
| and _the OS tells you it will re-enable it_. It will not
| re-enable it if disabled from the settings app. Airdrop
| does not re-enable itself, ever...
| cmg wrote:
| Hey Siri re-enabled itself on my iPhone 12 Pro Max after
| I installed the iOS 17.0 update. It's one of the first
| things I turn off when I get a new phone and I would not
| have knowingly turned it back on.
|
| Could it have been an installer fluke? Sure. But it's
| concerning enough.
| chatmasta wrote:
| > what does this 'security' app you're pushing as so
| necessary
|
| I called it a "useful app," while responding to a comment
| that linked to the GitHub repo that originally spawned
| the app. I never said it's "so necessary."
|
| It's a free app from a reputable security company that
| provides reminders and checklists that I find helpful.
| Nobody is forcing you to install it (or to follow best
| practices like rebooting your device).
| rafram wrote:
| Everything a word processor does - document layout,
| formatting, spell checking, copy and paste - could be
| done with pens, paper, a dictionary, and some glue. So
| why do people _pay money_ for Microsoft Word?
| ziddoap wrote:
| > _So again: what does this 'security' app you're pushing
| as so necessary, do that cannot be done with the OS's
| built-in apps?_
|
| They didn't say security app.
|
| They simply mentioned it as related to the comment they
| replied to, they aren't "pushing as so necessary". They
| didn't even say the word "necessary", simply explained
| the app and that they like it.
|
| I don't understand the hostility.
| el_benhameen wrote:
| This is very cool, and it's a fun read so far.
|
| I have a tangential, low-value question that I figured I might as
| well ask since the author is here. I have an old iPhone 4s whose
| passcode I have forgotten. I'd like to get some of the photos and
| data off. As far as I can tell, this exploit doesn't require
| "legit" access to the device. Would this process be useful for
| retrieving data that's already on the device?
| didntknowya wrote:
| there's proven ways to unlock older iphones. you can upload a
| modified ROM that increases the lockout limit. then brute force
| your way into the passcode.
| [deleted]
| ioslife wrote:
| [dead]
___________________________________________________________________
(page generated 2023-10-02 23:00 UTC)