In this talk we focus on challenges that Fried Apple team solved in a process of making untethered 9.0-9.3.x jailbreak. We will reveal the internal structure of modern jailbreaks, including low level details such as achieving jailbreak persistence, creating a patchfinder to support all device types and finally bypassing kernel patch protection.

1. March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
FriedApples:
Jailbreak DIY
AlexHudeMaxBazaliy VladPutin

2. March 28-31, 2017
Who we are ? 1
2
3
4
5
6
7
8
9
10
11
12
o Security research group
o Focused on hardware and software exploitation
o Made a various jailbreaks for iOS, tvOS, watchOS
o Contributors to jailbreak community

3. March 28-31, 2017
o Secure Boot Chain
o Mandatory Code Signing
o Sandbox
o Exploit Mitigations
o Data Protection
o Secure Enclave Processor
1
2
3
4
5
6
7
8
9
10
11
12
iOS Security Overview

4. March 28-31, 2017
o Disable OS restrictions
o Gain full access to device
o Install 3-rd party tools and apps
o Exploit chain required
1
2
3
4
5
6
7
8
9
10
11
12
What is jailbreak ?

5. March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Jailbreak types
o Tethered
- Re-exploit device on each boot manually
o Untethered
- Re-exploit device on each boot automatically

6. March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Initial attack vector strategies
o Application archive (IPA) based
o USB payload based
o WebKitSMSbaseband based

7. March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Making jailbreak if you have bugs
o Write an exploit chain
o Patch OS security restrictions
o Install persistent binary
o Add Cydiasshremote shell

8. March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Making jailbreak if you don't have bugs
o Write an exploit chain Use public write-ups
o Patch OS security restrictions
o Install persistent binary
o Add Cydiasshremote shell

9. March 28-31, 2017
Implementation
1
2
3
4
5
6
7
8
9
10
11
12

10. March 28-31, 2017
o ROP
o Binary with Mach-O bug
o JavaScriptCore JIT region
o Sign with devent certificate
Arbitrary code execution strategies 1
2
3
4
5
6
7
8
9
10
11
12

11. March 28-31, 2017
Bypassing sandbox strategies
o TOCTOU Symlinks
o XPC
o Kernel patch
1
2
3
4
5
6
7
8
9
10
11
12

12. March 28-31, 2017
Escalating privileges strategies
o Code injection in system service
o Kernel patch
1
2
3
4
5
6
7
8
9
10
11
12

13. March 28-31, 2017
13
14
15
16
17
18
19
20
21
22
23
24
Bypassing KASLR strategies
o Information leak
o Brute force

14. March 28-31, 2017
Bypassing DEP strategies
o JavaScriptCore JIT
o Userland mmapmprotect bug
o Kernel patch
o ROP chain
13
14
15
16
17
18
19
20
21
22
23
24

15. March 28-31, 2017
Seeking for patches in kernel
o Static patchfinder (memmem)
memmem stringpattern, xref + instruction analysis
o Dynamic patchfinder
syscall, sysctl, mach location, known structs + emulation
13
14
15
16
17
18
19
20
21
22
23
24

16. March 28-31, 2017
Kernel patches in detail
o root
o task_for_pid(0)
o amfi
o sandbox
o __mac_mount
o _mapForIO
13
14
15
16
17
18
19
20
21
22
23
24

17. March 28-31, 2017
Escalate privileges
o Interesting APIs are restricted
o task_for_pid, mount etc
13
14
15
16
17
18
19
20
21
22
23
24

18. March 28-31, 2017
Escalate privileges patch
o Find setreuid
o Find ruid/euid checks
o Patch to skip reuid checks condition
13
14
15
16
17
18
19
20
21
22
23
24

19. March 28-31, 2017
Escalate privileges patch detailed 13
14
15
16
17
18
19
20
21
22
23
24

20. March 28-31, 2017
Kernel task
o Easy access to kernel memory
o Required for some kern utilities
13
14
15
16
17
18
19
20
21
22
23
24

21. March 28-31, 2017
Kernel task patch
o Patch task_for_pid
o Re-implement task_for_pid in ROP
o Find kernel task in memory
13
14
15
16
17
18
19
20
21
22
23
24

22. March 28-31, 2017
Kernel task patch detailed 13
14
15
16
17
18
19
20
21
22
23
24

23. March 28-31, 2017
Kernel task patch detailed 13
14
15
16
17
18
19
20
21
22
23
24

24. March 28-31, 2017
Apple Mobile File Integrity (AMFI)
o Run unsigned code
o Fake entitlements
o Get other process tasks
o Restrictions on mmap, mprotect etc
13
14
15
16
17
18
19
20
21
22
23
24

25. March 28-31, 2017
AMFI patch
o Patch amfi_get_out_of_my_way
o Patch PE_i_can_has_debugger
o Patch amfi mac policies
25
26
27
28
29
30
31
32
33
34
35
36

26. March 28-31, 2017
AMFI patch detailed 25
26
27
28
29
30
31
32
33
34
35
36

27. March 28-31, 2017
AMFI policy patch detailed 25
26
27
28
29
30
31
32
33
34
35
36

28. March 28-31, 2017
AMFI policy patch detailed 25
26
27
28
29
30
31
32
33
34
35
36

29. March 28-31, 2017
AMFI policies to patch 25
26
27
28
29
30
31
32
33
34
35
36

30. March 28-31, 2017
Sandbox
o Access files out of mobile container
o Unrestrict usage of system APIs
25
26
27
28
29
30
31
32
33
34
35
36

31. March 28-31, 2017
Sandbox patch
o Patch sb_evaluate (allow all)
o Hook sb_evaluate
o Patch sandbox mac policies
25
26
27
28
29
30
31
32
33
34
35
36

32. March 28-31, 2017
Sandbox patch detailed 25
26
27
28
29
30
31
32
33
34
35
36

33. March 28-31, 2017
Sandbox patch detailed 25
26
27
28
29
30
31
32
33
34
35
36

34. March 28-31, 2017
Sandbox policies 25
26
27
28
29
30
31
32
33
34
35
36

35. March 28-31, 2017
__mac_mount
o Remount system partition
o Get write access to system partition
25
26
27
28
29
30
31
32
33
34
35
36

36. March 28-31, 2017
__mac_mount patch
o Patch __mac_mount
o Call mount_common from kernel
25
26
27
28
29
30
31
32
33
34
35
36

37. March 28-31, 2017
__mac_mount patch detailed 37
38
39
40
41
42
43
44
45
46
47
48

38. March 28-31, 2017
_mapForIO lock
o “/” is mounted as read only
o only “/private/var” can be written
37
38
39
40
41
42
43
44
45
46
47
48

39. March 28-31, 2017
_mapForIO lock patch
o Patch _mapForIO
o Patch PE_i_can_has_kernel_configuartion
37
38
39
40
41
42
43
44
45
46
47
48

40. March 28-31, 2017
_mapForIO lock patch detailed 37
38
39
40
41
42
43
44
45
46
47
48

41. March 28-31, 2017
Kernel Patch Protection
37
38
39
40
41
42
43
44
45
46
47
48

42. March 28-31, 2017
Bypassing KPP strategies
o Checks for kernel pages, MMU, sysregs
o Execution on EL3
o Can’t disable, can race or …
37
38
39
40
41
42
43
44
45
46
47
48

43. March 28-31, 2017
How KPP works? 37
38
39
40
41
42
43
44
45
46
47
48

44. March 28-31, 2017
Original translation table 37
38
39
40
41
42
43
44
45
46
47
48

45. March 28-31, 2017
Create fake Level 1 table 37
38
39
40
41
42
43
44
45
46
47
48

46. March 28-31, 2017
Create fake Level 2 table 37
38
39
40
41
42
43
44
45
46
47
48

47. March 28-31, 2017
Create fake Level 3 table 37
38
39
40
41
42
43
44
45
46
47
48

48. March 28-31, 2017
Create fake pages 37
38
39
40
41
42
43
44
45
46
47
48

49. March 28-31, 2017
49
50
51
52
53
54
55
56
57
58
59
60
BBQit Framework

50. March 28-31, 2017
KPP bypass technique 49
50
51
52
53
54
55
56
57
58
59
60

51. March 28-31, 2017
KPP bypass technique (continue) 49
50
51
52
53
54
55
56
57
58
59
60

52. March 28-31, 2017
Achieving persistence strategies
o Find service that spawns on boot
o Check if it is running as root (optional)
o Find userland codesign bug
o Symlink system service to exec cs bypass
49
50
51
52
53
54
55
56
57
58
59
60

53. March 28-31, 2017
Achieving persistence example
o JavaScriptCore jsc interpreter
o Signed by Apple
o Can execute code on RWX segment
o Copy as system service to spawn on boot
49
50
51
52
53
54
55
56
57
58
59
60

54. March 28-31, 2017
Achieving persistence details 49
50
51
52
53
54
55
56
57
58
59
60

55. March 28-31, 2017
SSH
o Copy dropbear or install Cydia
o tcprelay.py -t 22:4222
o Password ‘alpine’
49
50
51
52
53
54
55
56
57
58
59
60

56. March 28-31, 2017
Cydia
o Copy tar to /bin/tar
o tar -xvfp cydia.tar
o Optional /.cydia_no_stash
o Flush uicache using /usr/bin/uicache
49
50
51
52
53
54
55
56
57
58
59
60

57. March 28-31, 2017
o New heap layout
o AMFI and Sandbox hardening
o KPP enhancements
iOS 10 security enhancements 49
50
51
52
53
54
55
56
57
58
59
60

58. March 28-31, 2017
o MISValidateSignatureAndCopyInfo
Replace with CFEqual or similar will not work
o validateCodeDirectoryHashInDaemon
possible race condition fixed
o Policy patches still work
iOS 10 amfi mitigations 49
50
51
52
53
54
55
56
57
58
59
60

59. March 28-31, 2017
o New operations
boot-arg-set, fs-snapshot*, system-package-check, ...
o New hooks
_hook_iokit_check_nvram_get,
_hook_proc_check_set_host_special_port,
_hook_proc_check_get_cs_info ...
iOS 10 sandbox mitigations 49
50
51
52
53
54
55
56
57
58
59
60

60. March 28-31, 2017
o New kernelcache layout
o Now _got segments are protected
o New hardware migrations on iPhone 7/Plus
iOS 10 KPP enhancements 49
50
51
52
53
54
55
56
57
58
59
60

61. March 28-31, 2017
KPP hardware mitigations
o AMCC
o Watch memory region for any access
o Prevents writing inside region
o Prevents exec outside region
61
62
63
64
65
66
67
68
69
70
71
72

62. March 28-31, 2017
KPP hardware mitigations 61
62
63
64
65
66
67
68
69
70
71
72

63. March 28-31, 2017
Future of jailbreaks
o iOS is more secure on each release
o More security on hardware side
o Exploits will be more valuable
o But there will be bugs and write-ups
61
62
63
64
65
66
67
68
69
70
71
72

64. March 28-31, 2017
Black Hat Sound Bytes
o Jailbreak is doable with public bug info
o Patches and KPP bypass from this talk
o May the XNU source be with you
61
62
63
64
65
66
67
68
69
70
71
72

65. March 28-31, 2017
@FriedAppleTeam
@mbazaliy @getorix @in7egral
61
62
63
64
65
66
67
68
69
70
71
72