Jailbreaking iOS

7,622
-1

Published on

Slides introducing the topic of jailbreaking iOS.
An accompanying paper is to be added soon.

Published in: Technology
2 Comments
15 Likes
Statistics
Notes
No Downloads
Views
Total Views
7,622
On Slideshare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
543
Comments
2
Likes
15
Embeds 0
No embeds

No notes for slide

Jailbreaking iOS

  1. 1. Jailbreaking iOS How an iPhone breaks free Kai Aras - CSM Stuttgart Media University
  2. 2. What is iOS ? • Apples Operating System for iPhone, iPodTouch and iPad • Based on Mac OSX • Latest release 4.2.1
  3. 3. What is a Jailbreak ?
  4. 4. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications.
  5. 5. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution
  6. 6. What is a Jailbreak ? • removes certain security mechanisms to allow installation and distribution of untrusted 3rd party applications. • patches code signing to achieve unsigned code execution • makes you play angry birds for free...
  7. 7. Why does it exist ? • Closed Platform • Software Distribution controlled by Apple (walled garden) • 3rd party developers cannot modify system components • 3rd party developers can only use public APIs • people enjoy hacking things ;)
  8. 8. What about the name - Jailbreak ? • seems to be originated in first hackers breaking out of the so called chroot jail.
  9. 9. What can be done with a JB ?
  10. 10. What can be done with a JB ? • Install software that is unsupported by Apple.
  11. 11. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes
  12. 12. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers)
  13. 13. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device.
  14. 14. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration.
  15. 15. What can be done with a JB ? • Install software that is unsupported by Apple. • Apps, Addons, Themes • Activate the Device (unofficial carriers) • Unlock the device. • Do custom development that requires deeper system integration. • Install pirated software ☹
  16. 16. A state of the art prison iOS Hardware and Software Design
  17. 17. iOS Hardware Architecture
  18. 18. iOS Hardware Architecture Application Processor
  19. 19. iOS Hardware Architecture Application Processor iOS User interaction Applications ...
  20. 20. iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor
  21. 21. iOS Hardware Architecture Application Processor iOS User interaction Applications ... Baseband Processor NucleusOS Radio communication
  22. 22. iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA power managment
  23. 23. iOS Hardware Architecture audio WIFI display BT camera GSM Application Processor Baseband Processor UART I2S GPIO DMA controls power managment sim/net-lock !
  24. 24. iOS Security Architecture
  25. 25. iOS Security Architecture • Sandboxing
  26. 26. iOS Security Architecture • Sandboxing • Memory protection
  27. 27. iOS Security Architecture • Sandboxing • Memory protection • Code signing
  28. 28. iOS Security Architecture • Sandboxing • Memory protection • Code signing • Encryption
  29. 29. Sandboxing • NAND Flash • FTL : converts logical partitions to NAND flash architecture • looks like Block Device / (RO) (System Partition) /private/var (RW) (User Partition) • System Partition / (RO) Block Device User Partition /private/var FTL NAND
  30. 30. Sandboxing / (RO) /private/var (RW) • (System Partition) (User Partition) System Partition read only Block Device • 3rd party lives on user partition FTL • Apps run as mobile user NAND • Kernel signature checks executables in systemcall execve()
  31. 31. Memory Protection • W^X Policy • a page is either writable or executable but never both! • Non-executable stack & heap • No ASLR! -> ROP
  32. 32. Code Signing • implemented inside the Kernel • Kernel signature checks executables in systemcall execve() • Kernel stored on System Partition (kernelcache) • Kernel is signature checked before being loaded.
  33. 33. Encryption • Everything is encrypted • Hardware AES Engine • Keys derived from hardware keys GID-key UID-key • Possible to use Jailbreak tools e.g. Syringe to use the hardware engine
  34. 34. iOS Boot Sequence • Normal Boot • Recovery Mode • DFU Mode
  35. 35. Normal Boot LLB Bootrom (Low Level iBoot Kernel Application Bootloader) NOR NOR NAND NAND signature signature signature signature check check check check
  36. 36. DFU Mode LLB Bootrom (Low Level iBoot Kernel Application Bootloader) minimal iBoot Bootrom iBSS iBEC Kernel Ramdisk
  37. 37. Recovery Mode LLB Bootrom (Low Level iBoot Kernel Bootloader) signature signature Kernel check check Ramdisk
  38. 38. Attacking the chain of trust LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  39. 39. Attacking the chain of trust attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  40. 40. Attacking the chain of trust (cannot be fixed) attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  41. 41. Attacking the chain of trust (cannot be fixed) attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  42. 42. Attacking the chain of trust (cannot be fixed) attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  43. 43. Attacking the chain of trust (cannot be fixed) attack here attack here attack here attack here LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  44. 44. Breaking free LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  45. 45. Breaking free 1. Patch out all the signature checks LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  46. 46. Breaking free 1. Patch out all the signature checks 2. Install Cydia to manage unsigned 3rd Cydia party applications LLB System Bootrom (Low Level iBoot Kernel Application Bootloader) Software signature signature signature signature signature check check check check check
  47. 47. How it’s done
  48. 48. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload
  49. 49. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability
  50. 50. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks
  51. 51. How it’s done • exploit code-execution vulnerability to deploy and execute jailbreak- payload • execute payload, if required gain root by exploiting privilege escalation vulnerability • patch LLB, iBoot and Kernel to remove signature checks • install cydia to allow installation of unsigned 3rd party applications.
  52. 52. Star (jailbreakme.com)
  53. 53. Star (jailbreakme.com) • Web based Jailbreak
  54. 54. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP)
  55. 55. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari
  56. 56. Star (jailbreakme.com) • Web based Jailbreak • Injection Vector: Userland Process (via HTTP) • first exploits CFF Font Parser (via PDF) in Mobile Safari • then exploits IOSurface Kernel extension (via ROP)
  57. 57. Star 1 Payload 1 2 Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  58. 58. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  59. 59. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 7 System Applicatio iBoot Kernel Cydia Software n 5
  60. 60. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 5
  61. 61. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5
  62. 62. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5
  63. 63. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2
  64. 64. Star 1 Payload 1 2 1. Payload1: Malformed PDF Payload 2 3 Mobile 2. Payload2: Post Install Safari 6 PDF CFF Font Parser 4 3. Deploy Payload1 via HTTP 7 System Applicatio iBoot Kernel Cydia Software n 4. Exploit Userland Process 5. Exploit Kernel to gain root privileges 5 6. Download Payload2 7. Install libraries and install Cydia
  65. 65. greenpois0n
  66. 66. greenpois0n • PC based Jailbreak
  67. 67. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*)
  68. 68. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit)
  69. 69. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit)
  70. 70. greenpois0n • PC based Jailbreak • also Jailbreak Toolkit (Syringe, Cyanide, Anthrax...*) • exploits Bootrom vulnerability (limera1n exploit) • then exploits Kernel vulnerability (undisclosed exploit) • Injection vector: Bootloader communication (DFU Mode)
  71. 71. greenpois0n Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  72. 72. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  73. 73. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS iBSS Payload iBoot Kernel Ramdisk Loader.app
  74. 74. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
  75. 75. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload iBSS Payload iBoot Kernel Ramdisk Loader.app
  76. 76. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS Payload iBoot Kernel Ramdisk Loader.app
  77. 77. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload iBoot Kernel Ramdisk Loader.app
  78. 78. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk iBoot Kernel Ramdisk Loader.app
  79. 79. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk iBoot Kernel Ramdisk Loader.app
  80. 80. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel Ramdisk Loader.app
  81. 81. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache Ramdisk Loader.app
  82. 82. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk Loader.app
  83. 83. greenpois0n 1. exploit bootrom vulnerability Bootrom iBSS 2. upload iBSS 3. upload iBSS payload 4. execute iBSS payload 4.1. upload, patch and jump to iBoot iBSS 4.2. upload iBoot payload Payload 4.3. upload ramdisk 4.4. execute ramdisk 4.5. set kernel boot args iBoot Kernel 4.6. upload kernel cache 4.7. boot Ramdisk 5. install loader.app Loader.app
  84. 84. Conclusion • Fun from a technical perspective • Actually useful for only a few (Unlockers, Developers) • Mostly used for the wrong purposes • Crapware like themes and custom sms sounds • Software pirating
  85. 85. more in the final paper... slides available at http://blog.010dev.com
  86. 86. Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone protected area contains: encrypted lock-state
  87. 87. Unlocking signature signature check check Bootrom Bootloader Firmware (Nucleus OS) ROM NOR seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
  88. 88. Unlocking signature signature check check 2. unlock on-the-fly by constantly overriding netlock checks in firmware Bootrom Bootloader Firmware (Nucleus OS) ROM NOR X seczone 1. truly unlock protected area by altering lock-state in seczone contains: encrypted lock-state
  89. 89. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware
  90. 90. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware Nucleus OS seczone NOR Baseband Processor
  91. 91. Unlocking 2. unlock on-the-fly by constantly overriding netlock checks in firmware iOS Nucleus OS seczone NOR UART Application Processor Baseband Processor
  92. 92. Unlocking 2. unlock on-the-fly run deamon process on by constantly overriding netlock application processor checks in firmware exploit code execution * (requires jailbreak) vulnerabilities to override netlock „on-the-fly“ unlockd iOS Nucleus OS X seczone NOR UART Application Processor Baseband Processor
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×