The iPhone Wiki is no longer updated. Visit this article on The Apple Wiki for current information. |
Difference between revisions of "Bypassing iPhone Code Signatures"
(New page: Starting with the recent beta releases of the iPhoneOS, Apple has started requiring that all code on the device is signed. This is mostly to make it impossible for programs running through...) |
m (→Option #3: Disable Checks: changed ios 4 to 4.3 as mentioned at Incomplete Codesign Exploit) |
||
(7 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
+ | Since the developer betas of the iPhone firmwares, Apple has started requiring all code on the device is signed. This is mostly to thwart unauthorized applications on the iPhone. To get around this (and thereby to install our own code onto the device) The [[iPhone Dev Team]] patched signature verification out of the kernel. However, another half of the code signing problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is difficult (especially to track as Apple makes changes) and of marginal benefit as adding these hashes is easy. There are currently three viable options. |
||
− | Starting with the recent beta releases of the iPhoneOS, Apple has started requiring that all code on the device is signed. This is mostly to make it impossible for programs running through Apple's AppStore to download more software and run it (so no competition for AppStore). |
||
− | In order to get around this (and thereby to install our own code onto the device) the iPhone Dev Team has patched the signature verification out of the kernel. However, another half of the codesign problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is A) difficult (especially to track as Apple makes changes) and B) of marginal benefit as adding these hashes is easy. This means you do still have to at least pay lipservice to the code signature process. There are currently three viable options. |
||
− | Option #1: Self-Signing |
||
− | This method is the simplest to understand: using Apple's codesign tool to sign the binary. Because the signature verification checks have been hacked out of the kernel, you can use any signature to do this, not just ones that are approved by Apple's developer program. For instructions on how to make a self-signing certificate you can read this article from Apple's website: Obtaining a Signing Identity. |
||
− | mac$ platform=/Developer/Platforms/iPhoneOS.platform |
||
− | mac$ allocate=${platform}/Developer/usr/bin/codesign_allocate |
||
− | mac$ export CODESIGN_ALLOCATE=${allocate} |
||
+ | == Option #1: Self-Signing == |
||
− | mac$ codesign -fs "Name" Program |
||
+ | This method is the simplest: using Apple's codesign tool to sign the binary. Since the signature verification checks have been removed from the kernel, any signature, including those not authorized by Apple, can do this. For instructions on how to make a self-signing certificate you can read this article from Apple's website: [http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Procedures/chapter_3_section_2.html Obtaining a Signing Identity.] |
||
+ | mac$ platform=/Developer/Platforms/iPhoneOS.platform |
||
− | mac$ scp Program mobile@iphone: |
||
+ | mac$ allocate=${platform}/Developer/usr/bin/codesign_allocate |
||
− | Option #2: Pseudo-Signing |
||
+ | mac$ export CODESIGN_ALLOCATE=${allocate} |
||
− | For me, the previous option just doesn't work. I do not use Macs to do my development and the entire codesign path requires not only a Mac but console access because codesign is, at some level, a graphical utility (the way it uses Keychain to get the signatures may prompt, with dialogs, for passwords). To get around this, I wrote a tool called ldid that, among other things, can generate the SHA1 hashes that are checked by Apple's iPhoneOS kernel. This tool is easily installed on the iPhone using Cydia or APT. |
||
+ | mac$ codesign -fs "Name" Program |
||
− | iphone# apt-get install ldid |
||
− | + | mac$ scp Program mobile@iphone: |
|
− | iphone$ ldid -S Program |
||
− | Option #3: Disable Checks |
||
− | Finally, an option that is really convenient for development purposes is just to disable the check. Now, technically, this disables a lot more than just the codesign check, and its also more disabling the penalty than the check itself. I have run my phone for a while in this state, but I have heard that in some (many?) configurations it causes problems: being unable to connect to insecure WiFi networks being the largest. This is done by using sysctl to deactivate the enforcement and can be undone either by resetting the variables back on or by rebooting the phone. |
||
− | sysctl -w security.mac.proc_enforce=0 |
||
− | sysctl -w security.mac.vnode_enforce=0 |
||
− | As this does seem to cause some problems, I'll make a note about how to undo this (as it's really simple). You just need to reset the variables back to 1 or reboot the device (every time the phone starts these default back to on). |
||
− | sysctl -w security.mac.proc_enforce=1 |
||
− | sysctl -w security.mac.vnode_enforce=1 |
||
+ | Where Name is the name on the certificate you created and Program is the name of the program. Be sure to be in the programs directory before executing the code. |
||
− | Source: http://www.saurik.com/id/8 |
||
+ | |||
+ | == Option #2: Pseudo-Signing == |
||
+ | For some, the previous option just doesn't work. Not everyone uses Macs to develop and the entire codesign path requires not only a Mac but console access because codesign is, at some level, a graphical utility (the way it uses Keychain to get the signatures may prompt, with dialogs, for passwords). To get around this, there is a tool called ldid that, among other things, can generate the SHA1 hashes that are checked by the kernel. This tool is easily installed on the iPhone using Cydia or APT. |
||
+ | |||
+ | On iPhone run: |
||
+ | apt-get install ldid |
||
+ | scp user@desktop:Program . |
||
+ | ldid -S Program |
||
+ | |||
+ | == Option #3: Disable Checks == |
||
+ | This option is really convenient for development purposes. Now, technically, this disables a lot more than just the codesign check, and its also more disabling the penalty than the check itself. In some cases, this may cause problems: being unable to connect to insecure Wi-Fi networks being the largest. This is done by using sysctl to deactivate the enforcement and can be undone either by resetting the variables back on or by rebooting. |
||
+ | |||
+ | sysctl -w security.mac.proc_enforce=0 |
||
+ | sysctl -w security.mac.vnode_enforce=0 |
||
+ | |||
+ | As this does seem to cause some problems, here are 2 simple ways to undo this change: reset the variables back to 1 or reboot (every time the phone starts these default back to on). |
||
+ | sysctl -w security.mac.proc_enforce=1 |
||
+ | sysctl -w security.mac.vnode_enforce=1 |
||
+ | |||
+ | This method no longer works for iOS 4.3 and newer, due to the settings being read-only. |
||
+ | |||
+ | == Resources == |
||
+ | [http://www.saurik.com/id/8 Bypassing iPhone Code Signatures] |
Latest revision as of 14:27, 9 January 2012
Since the developer betas of the iPhone firmwares, Apple has started requiring all code on the device is signed. This is mostly to thwart unauthorized applications on the iPhone. To get around this (and thereby to install our own code onto the device) The iPhone Dev Team patched signature verification out of the kernel. However, another half of the code signing problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is difficult (especially to track as Apple makes changes) and of marginal benefit as adding these hashes is easy. There are currently three viable options.
Contents
Option #1: Self-Signing
This method is the simplest: using Apple's codesign tool to sign the binary. Since the signature verification checks have been removed from the kernel, any signature, including those not authorized by Apple, can do this. For instructions on how to make a self-signing certificate you can read this article from Apple's website: Obtaining a Signing Identity.
mac$ platform=/Developer/Platforms/iPhoneOS.platform mac$ allocate=${platform}/Developer/usr/bin/codesign_allocate mac$ export CODESIGN_ALLOCATE=${allocate} mac$ codesign -fs "Name" Program mac$ scp Program mobile@iphone:
Where Name is the name on the certificate you created and Program is the name of the program. Be sure to be in the programs directory before executing the code.
Option #2: Pseudo-Signing
For some, the previous option just doesn't work. Not everyone uses Macs to develop and the entire codesign path requires not only a Mac but console access because codesign is, at some level, a graphical utility (the way it uses Keychain to get the signatures may prompt, with dialogs, for passwords). To get around this, there is a tool called ldid that, among other things, can generate the SHA1 hashes that are checked by the kernel. This tool is easily installed on the iPhone using Cydia or APT.
On iPhone run:
apt-get install ldid scp user@desktop:Program . ldid -S Program
Option #3: Disable Checks
This option is really convenient for development purposes. Now, technically, this disables a lot more than just the codesign check, and its also more disabling the penalty than the check itself. In some cases, this may cause problems: being unable to connect to insecure Wi-Fi networks being the largest. This is done by using sysctl to deactivate the enforcement and can be undone either by resetting the variables back on or by rebooting.
sysctl -w security.mac.proc_enforce=0 sysctl -w security.mac.vnode_enforce=0
As this does seem to cause some problems, here are 2 simple ways to undo this change: reset the variables back to 1 or reboot (every time the phone starts these default back to on).
sysctl -w security.mac.proc_enforce=1 sysctl -w security.mac.vnode_enforce=1
This method no longer works for iOS 4.3 and newer, due to the settings being read-only.