Init

Project objective

Main goal of this project is to learn some ARM platfrom exploiting basics, which will further lead to develop some skills in exploiting methods targeted to Apple’s devices.

Tools and devices

Devices I already had and could use to this project were iPhone 4S and iPhone 5. Why these ones? They have ARMv7 processors which means they have 32-bit architecture - seems a little bit easier for the begining to me. These devices are also relatively cheap (cheers from year 2020), and further on I’m aiming in developing skills in exploiting and debugging 64-bit architecture and Apple devices. If you want to follow this guide step-by-step you should have MacBook computer.

Prepare device

Preparing devices took me literally like almost whole week with several times restoring devices, resetting and reinstalling everything all over again. So if you run into some troubles - don’t give up, search, re-think, be creative in overcoming all obstacles 😉

Jailbreaking

If you have previous experience with jailbreaking or if you are iOS developer, jailbreaking iPhones 4S and 5 is quite easy. Steps I took to jailbreak are:

1. I assume you are on MacBook and you have AppleID created. Open Xcode and start simple project for iOS.
2. Connect your iPhone to Mac. In Xcode select iPhone device as build target and try to run this project on it. If you have build problems - read them carefully and try to fix them. The reason of doing it is to be sure you have possibility of deploying and running app needed to jailbreak in next step.
3. If your simple project runs on device that means we have connection established, your signing certificate is working, we’re good to go for jailbreaking.
4. Download H3lix.ipa from https://h3lix.tihmstar.net/ (for older iOS versions: Phœnix.ipa from https://phoenixpwn.com/)
5. Download AppSigner from https://dantheman827.github.io/ios-app-signer/
6. Follow above instructions to re-sign jailbreaking app.
7. Open Xcode, form the topbar choose Window -> Devices and Simulators.
8. Choose your iPhone device, click (+) to add your re-signed H3lix or Phoenix ipa to install it on device
9. On your device go to Settings -> Device Management -> Apple Development (your AppleID) and click to trust this developer.
10. Now on your device open installed app, click to start jailbreak and keep fingers crossed 😉
11. In few minutes you should have succefully jailbroken iPhone 4S/5.
12. In case of fail, not broken properly, no Cydia installed - try again running jailbreaking app.

Same steps as above are suitable to jailbreak other older devices (just the matter of finding proper for iOS system version jailbreak tool).

Newer devices (5S and above) have 64-bit architecture, so they are not too easy to begin playing with arm exploitation and disassembled code will differ from 32-bit ones, but jailbreaking is much more easy now for models in range 5S - X with checkra1n tool https://checkra.in/.

How to connect to device - SSH

After jailbreaking and installing OpenSSH on device, you should be abble to connect to it. Find your device IP address (in device WiFi network settings) and ssh into it:

ssh root@192.168.1.45

Default password is alpine.

I ran into some troubles with sshd server on my device, but this thread helped me to restart ssh daemon https://superuser.com/questions/954492/how-to-start-ssh-server-on-ios

Resizing device partitions

Chances are that you will face the same problem as I did on my devices: low storage capacity on System partition. To gain some space I ssh’ed into my device and followed this tutorial to resize my partitions: https://www.reddit.com/r/jailbreak/comments/6gmto1/tutorial_resizing_partitions_on_ios_full_guide_no/

If you face problems with it - no worries, you can easily restore your device with your Macbook computer. You can look up and download firmware for your device from: https://ipsw.me/ Be prepared to do this at least several times while following this guide 😉

What to install?

Add some tools from Cydia:

• OpenSSH
• Substrate Safe Mode
• wget, curl, rsync
• nano
• theos with sdks (https://github.com/theos/theos/wiki/Installation-iOS)

Things needed for compiling and debugging are:

• clang (32)
• gdb (or lldb)
• radare2 package

If your gdb or other binaries don’t work properly and while trying running it you got:

$ gdb 0x02
Illegal instruction: 4

Try to run these commands for this binary:

sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' /usr/bin/gdb
ldid -s /usr/bin/gdb

How to install?

For installing you have several ways:

1. Cydia add repos, search, install apps
2. apt-get install [name] - just like in other unix system
3. dpkg -i package_name.deb - also like in other unixes