Time
3 hours 58 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
At this point, we take a look at the IOS. We've examined it security model, and we dove into applications a bit.
00:06
At this point, based on the way I've explained it, you must think that IOS is, ah, highly guarded fortress Ah, device with complete security with no way to penetrate its defences. Right?
00:16
Well, maybe, but based on the IOS being a close system and with the number of protections we've seen so far, we can tell. Apple certainly does a good job defending against attempts to access its ecosystem. However,
00:29
there were some Met felt that the IOS and the APP store restrictions were way to strangers and it's configurations were severely lacking.
00:37
To mitigate this issue, Jailbreaking was born. This was meant to break out of the APP store jail. So what is jailbreaking Well tell? Breaking is the process of removing restrictions imposed by apple. There's different types of jail breaks as we'll see next. But despite the method used,
00:54
we're typically taking advantage of a vulnerability in the hardware or software. The device,
00:58
once the device is exploited, allows us to run unsigned code, which usually come in the form of applications, and this opens us up to some risk. We could install an app that has been tampered with in some way or opens our device up to performing malicious activities.
01:14
Jailbreaks come in several forms, and the each work in their own separate way. But we can kind of group these together, by the way, the abuse of vulnerabilities in the ecosystem, for instance, tethered and semi untether jailbreaks. They work by abusing vulnerabilities in the boot rahm low level boot loader or I boot process.
01:30
Abusing the hardware of the device is attractive because once an exploit for the rahm is known,
01:34
the device could be exploited until another Rahm has burned onto it. This is how earlier jailbreaks work, but today there are hard to come by. This is also attractive because each level process has its own a verification process. So as the device boots from the boot Rahm the boot Rahm loads and verifies the love a boot loader.
01:55
As the low level boot loader loads,
01:57
it loads and verifies the IBEW process. As the I brew process loads it lows and verifies the IOS Colonel. So the earlier we can run unsigned code on the device, the better more recent jailbreaks, like the semi tethered and untethered jailbreaks
02:14
he's trying to take advantage of vulnerabilities in the IOS. Colonel
02:16
Jailbreaking has become a bit of a cat and mouse game, however, because as people continually find vulnerabilities, Apple continues to close them. For instance, take the KPP less jailbreaks. Thes types of jailbreaks take advantage of Colonel Patch Protection vulnerabilities Colonel Patch protectionism mitigation technique introduced by Apple.
02:37
Also, Apple recently has removed signing for old IOS versions.
02:40
This prevents people from downgrading their device to exploit old IOS versions.
02:46
Okay, then, if this is getting harder and harder, you may be asking yourself, Well, why do we bother? Why do we even jailbreak? Is it just so that a bunch of packers can put their own applications on their phone? Well, it's not really that simple. As you'll see later, there's only a limited number of things we can do with our device if we don't perform a jailbreak.
03:05
Yeah, we can download an application and weekend on packet, but that's pretty much all weaken D'oh!
03:08
Which is a lot, though, but with a jailbreak, not only can we access the device, but we'll be able to control it and see how the apse work while they're running on our phone. Not only that, we can even inject our own scripts into running applications to get David back. In fact, this is how portions of city works, but more on that later.
03:28
All right, I'm gonna take you through a jail breaking demonstration. So I have an iPhone five s running IOS version 11 dot to 11.0.1, and we're going to run an untethered jailbreak and untether jailbreak is one where you don't have to plug in your computer to your phone.
03:43
All you do is interact with some software and it's going to attempt to exploit the IOS. Colonel.
03:49
Now, with this jailbreak, it's a little finicky, so I'm gonna try to get it. Toe work, however, has been jail broken before Now, because Apple stop signing their IOS versions, I was unable to restore the device completely,
04:03
but I was able to to erase all the settings and that pretty much puts it into a state where we can re attempt the jailbreak and I can show it to you properly.
04:13
So let's go ahead and start.
04:15
Okay, so here we are. We're at the welcome screen.
04:19
We just pick our language and region doesn't matter So far you choose Set up manually.
04:26
Okay. Now, with these jailbreaks touch I d. Is doesn't work so well, set this up later, even if we want it. And of course, we're sure don't use
04:35
OK, pass code. We'll just use all zeros
04:40
use anyway.
04:47
Okay, so we don't want to do anything like this. We just want to set up a new phone. We don't want iTunes, Nothing like that
04:57
later. And settings.
05:00
And we just want to wait until it sets up the device.
05:04
Agreed to the terms.
05:08
Disable location service is
05:15
don't share.
05:18
Okay, great. Get started. Okay. So as you can see our devices booted up now, I'm gonna move around a little bit, See? So I jailbreak in this device before. So we've got city of there already, so
05:30
if we try to use it, though, it won't work right, because the jailbreak is not broken anymore. We need to redo that. So this is how we'll do that. We'll use thes
05:40
Thea untether jailbreak, as I said, So we'll go to safari,
05:46
and there's an app called Tweak box
05:54
Tweet box
05:56
case. We browse there
06:01
eventually when it works.
06:14
Okay, so what we'll do is we'll install now,
06:26
and it says we're trying Thio load a website that's gonna allow us to install app. So, yes, we want to do that.
06:32
Okay, So
06:34
for these APS toe work, we need to trust the developer. So we're gonna install the developer certificate
06:40
or install the developer profile so
06:44
and asked us for passcode, and now it's going to install it. So now this developer should be trusted,
06:50
which it is. So we should see an icon that's installing tweet box now, which it has. Okay, great. So now we're in tweak box
07:01
and we'll look for the jailbreak and install it from here. Once it loads, It takes a long time. I'll posit video and okay, here, You know, we accept in Europe, so we have to accept that.
07:13
And we look for APS
07:15
in the tweet Box AB section,
07:19
and we're gonna install the uncover jailbreak on
07:26
cover.
07:34
Okay, we're done here. It is the uncovered jailbreak,
07:39
so it's going to install it,
07:44
but we'll have to do the same thing that we did for the other application, which is trust the profile. So
07:53
as soon as it loads
07:55
well, trust the profile. We might be able to do it. Now let's check.
08:00
It's going to the settings.
08:03
See you Quicken.
08:05
No, we can't.
08:07
So we just have to wait for that. So load.
08:11
Okay, so now we see that the uncover jailbreak has installed on the device. But again, we have to go and trust that the developer. So what we'll do is to do that.
08:22
We have to go to profiles
08:28
in device management. And here now we've got a new developer. We need Thio.
08:35
We need to trust, So we trust that.
08:39
Okay, so now
08:41
what we need to do is we need to basically put this an airplane moment to shut everything off. You need to shut Syria. If you need to shut the WiFi off, you need to shut everything off. So that's what we're gonna do.
08:52
Shut that off. Okay, so
08:54
nothing's on their serie have to shut that off.
09:01
Okay, That looks like it's off. So we're good there. You also have to remove the pass code. Everything needs to be turned off.
09:11
Turnoff. Passcode?
09:15
Yes. Everything needs to be turned off for this to work.
09:20
Okay, so now we can attempt to jailbreak. The device may just make sure the wife eyes on. I'm sorry. Wife eyes off
09:30
says that's all.
09:33
Just make sure this is an airplane mode. You have no sim cards and stuff. We know.
09:39
Okay, so everything's off now,
09:43
so
09:45
run the
09:48
uncover. First Rome would make it. There we go make a little liar so you can see it. And I've learned that I need to reinstall sicheia
09:58
for this to work properly. For some reason, it doesn't work, right. If you try to jail, break it a second time after you restored it. I don't know why, but that's the funny thing with ease. Jailbreaks, right? Sometimes they work. Sometimes they don't. Sometimes you'll get on the third try sometime. You'll you won't. It's funky, so
10:20
he's going through these options reinstalled. Let me try reinstalling us us each to
10:26
all right. So let's see if this jail breaks
10:30
says it's ready. So let's try and running it,
10:35
all right? It's trying.
10:39
It says that Okay, so just turned itself off. So let's see if it actually worked or not. We might need to run this a couple of times.
10:48
Okay, so our devices booting back up.
10:54
Let's see if this jailbreak took or not. I don't think it did. Didn't look like it. So we'll try it again.
11:03
No Sim card installed. We know that.
11:07
All right, let's see if this works. Let me just shut everything off again, just in case,
11:16
you know, just in case we
11:22
it didn't work.
11:24
Yeah, it didn't work. Okay, let's try it again. Let's make sure everything's turned off. Says wife eyes turned off airplane mood.
11:33
Everything needs to be turned off.
11:43
Make sure the settings of the same
11:48
green is still sitting in a city. Can't reset that. Okay,
11:52
let's try it again.
12:01
Ooh, this looks better this time. It's good. Yeah. Okay, so
12:03
I think it's working this time.
12:07
Hopefully, it's jail breaking. It does successfully. Jailbreak will be able to launch City A,
12:11
and that's what we want to do. That's the
12:15
Jailbroken app store.
12:22
Looks like this is gonna work this time.
12:28
All right, So now we got a message saying that the jailbreak completed properly, so let's sit. Okay.
12:35
It's going to restart. Its restarted. Now you can't see it, but it's going to research and see if my video re enables.
12:45
Okay, cause mine device restarted. It didn't properly.
12:52
There we go. All right, So now I think the jail broke work. Let's want Sylvia.
12:58
And hopefully this doesn't crash. No, it's not crashing. That's good. And of course, we can't love the city of store because we're not connected to a WiFi. So let's make it. Although it's showing me that I'm connected to a WiFi, which is why jailbreaks are interesting creatures.
13:13
But
13:15
we'll turn the WiFi on
13:18
okay, connected to my hot spot, and we'll launch the city app store.
13:24
Let's reload that.
13:28
Okay, so it looks like the jailbreak was successful because we could launch City A, which is the app store.
13:35
But let's be sure for 100%. So typically, when you install Scindia, it also installs open SS age. So if we look at the i p address of our phone, we should be able to log in to be a s s age. So let's do that.
13:52
Okay. 192.168 That 43.229 All right, let's close the iPhone and open up a terminal. So We'll hide that and we'll show that. All right, so now let's try to ss age into it.
14:09
This is a TSH route.
14:11
Yeah.
14:13
192
14:15
Uh, 168.43. That 2 to 9. We should get a command prompt here.
14:24
Okay, It's asking us for a password. So the first time you do this, the password is Alpine.
14:33
Okay. Success. We definitely know that the jailbreak worked. We can sshh into our phone and we can browse around the file system.

Up Next

Mobile Malware Analysis Fundamentals

In the Mobile Malware Analysis Fundamentals course, participants will obtain the knowledge and skills to perform basic malware analysis on mobile devices. Participants will perform these tasks by learning and implementing tools and techniques while examining malicious programs.

Instructed By

Instructor Profile Image
Brian Rogalski
CEO of Hexcapes
Instructor