Difference between revisions of "Up to Speed"

From The iPhone Wiki
Jump to: navigation, search
m (link)
m
 
(11 intermediate revisions by 4 users not shown)
Line 2: Line 2:
   
 
* [[Activation]] - to bypass the required [[iTunes]] signup.
 
* [[Activation]] - to bypass the required [[iTunes]] signup.
* [[Jailbreak]] - to allow full write and execute privileges on the iPhone, iPod touch, iPhone 3G, iPhone 3GS, iPhone 4, iPhone 4S, iPad and iPad2.
+
* [[Jailbreak]] - to allow full write and execute privileges on any Apple TV, iPad, iPhone or iPod touch.
 
* [[Unlock]] - to allow the use of any mobile phone carrier's SIM.
 
* [[Unlock]] - to allow the use of any mobile phone carrier's SIM.
   
Line 9: Line 9:
 
=== Ways to learn about how jailbreaks work ===
 
=== Ways to learn about how jailbreaks work ===
   
  +
''(If you're more interested in learning how to develop for jailbroken devices, such as extensions/tweaks, check out the [http://iphonedevwiki.net/index.php/Main_Page iPhoneDevWiki] instead.)''
* You can read about general exploitation techniques on Wikipedia, starting with [https://en.wikipedia.org/wiki/Vulnerability_(computing)#Software_vulnerabilities software vulnerabilities] and [https://en.wikipedia.org/wiki/Privilege_escalation privilege escalation]. Learning about types of vulnerabilities can be fun even if you don't have any background yet in programming or security research - it's like learning about how puzzles work. To learn more about security research in general (useful for the beginner), try these links: [http://www.reddit.com/r/netsec/wiki/start Getting Started in Information Security by /r/netsec], [http://www.reddit.com/r/netsecstudents/wiki/resources /r/netsecstudents resources], and [http://pentest.cryptocity.net/ Application Security and Vulnerability Analysis].
 
   
  +
The basic idea here is that there are lots of ways to learn more about jailbreaking, for people of all experience levels and backgrounds. You might want to learn enough to actually find vulnerabilities in iOS (which is a huge undertaking), or you might just enjoy learning a little bit out of curiosity. Go through this list and pick something that looks fun to read!
* Read [http://winocm.com/research/2013/09/20/resources-for-getting-started/ winocm's recommendations for how to get started with iOS hacking]: learning ARM, understanding low-level parts of iOS, reading open source code in iOS and OS X, learning programming, learning about security/fuzzing, and then learning iOS-specific tools and tricks.
 
   
  +
* You can read about general exploitation techniques on Wikipedia, starting with [https://en.wikipedia.org/wiki/Vulnerability_(computing)#Software_vulnerabilities software vulnerabilities] and [https://en.wikipedia.org/wiki/Privilege_escalation privilege escalation]. Learning about types of vulnerabilities can be fun even if you don't have any background yet in programming or security research - it's like learning about how puzzles work. To learn more about security research in general (useful for the beginner), try these links: [http://www.reddit.com/r/netsec/wiki/start Getting Started in Information Security by r/netsec], [http://www.reddit.com/r/netsecstudents/wiki/resources r/netsecstudents resources], and [http://pentest.cryptocity.net/ Application Security and Vulnerability Analysis].
* Read [http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123 ''iOS Hacker's Handbook''], published in May 2012: "The award-winning author team, experts in Mac and iOS security, examines the vulnerabilities and the internals of iOS to show how attacks can be mitigated. The book explains how the operating system works, its overall security architecture, and the security risks associated with it, as well as exploits, rootkits, and other payloads developed for it."
 
  +
  +
* To learn a bit about what a jailbreak actually does to an iOS device, [https://news.ycombinator.com/item?id=4127801 see this conversation with saurik] - it explains the main technical changes that a typical jailbreak accomplishes. Here's also another [http://www.reddit.com/r/jailbreak/comments/17q6tk/is_the_ios_jailbreak_scene_dumber_than_android_or/c87w1hg conversation with saurik with a bit about the history of iOS jailbreaking and comparing it to Android rooting] - "I often recommend that people who are interested in one day being able to hack something like iOS go spend some time cutting their teeth on simpler systems, such as Android".
  +
  +
* Read [http://winocm.moe/research/2013/09/20/resources-for-getting-started/ winocm's recommendations for how to get started with iOS hacking]: learning ARM, understanding low-level parts of iOS, reading open source code in iOS and OS X, learning programming, learning about security/fuzzing, and then learning iOS-specific tools and tricks. She's also written a bunch of [http://winocm.moe/ other posts about iOS security research].
  +
  +
* Read [http://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123 ''iOS Hacker's Handbook''], published in {{date|2012|05}}: "The award-winning author team, experts in Mac and iOS security, examines the vulnerabilities and the internals of iOS to show how attacks can be mitigated. The book explains how the operating system works, its overall security architecture, and the security risks associated with it, as well as exploits, rootkits, and other payloads developed for it."
   
 
* pod2g also [http://www.idownloadblog.com/2012/12/20/pod2g-interview/ recommends] these books: [http://www.amazon.com/gp/product/0470395362/ref=as_li_qf_sp_asin_il_tl ''Mac Hacker's Handbook''], [http://www.amazon.com/gp/product/0321278542/ref=as_li_qf_sp_asin_il_tl ''Mac OS X Internals: A Systems Approach''], and [http://www.amazon.com/gp/product/1597494860/ref=as_li_qf_sp_asin_il_tl ''A Guide to Kernel Exploitation: Attacking the Core'']. And here are even more that can be useful: [http://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651 ''Mac OS X and iOS Internals: To the Apple's Core''], [http://www.amazon.com/Hacking-Securing-iOS-Applications-Hijacking/dp/1449318746 ''Hacking and Securing iOS Applications''], [http://www.amazon.com/OS-X-iOS-Kernel-Programming/dp/1430235365 ''OS X and iOS Kernel Programming''], and [http://www.amazon.com/Professional-Cocoa-Application-Security-Graham/dp/0470525959 ''Professional Cocoa Application Security''].
 
* pod2g also [http://www.idownloadblog.com/2012/12/20/pod2g-interview/ recommends] these books: [http://www.amazon.com/gp/product/0470395362/ref=as_li_qf_sp_asin_il_tl ''Mac Hacker's Handbook''], [http://www.amazon.com/gp/product/0321278542/ref=as_li_qf_sp_asin_il_tl ''Mac OS X Internals: A Systems Approach''], and [http://www.amazon.com/gp/product/1597494860/ref=as_li_qf_sp_asin_il_tl ''A Guide to Kernel Exploitation: Attacking the Core'']. And here are even more that can be useful: [http://www.amazon.com/Mac-OS-iOS-Internals-Apples/dp/1118057651 ''Mac OS X and iOS Internals: To the Apple's Core''], [http://www.amazon.com/Hacking-Securing-iOS-Applications-Hijacking/dp/1449318746 ''Hacking and Securing iOS Applications''], [http://www.amazon.com/OS-X-iOS-Kernel-Programming/dp/1430235365 ''OS X and iOS Kernel Programming''], and [http://www.amazon.com/Professional-Cocoa-Application-Security-Graham/dp/0470525959 ''Professional Cocoa Application Security''].
Line 19: Line 25:
 
* Listen to the [[25C3 presentation "Hacking the iPhone"]]. This was in 2008, but it explains the basics in detail.
 
* Listen to the [[25C3 presentation "Hacking the iPhone"]]. This was in 2008, but it explains the basics in detail.
   
* See [http://techchannel.att.com/play-video.cfm/2013/1/8/Conference-TV-CSAW-THREADS-2012-iOS-Jailbreak-Analysis the presentation "Strategic Analysis of the iOS Jailbreaking Development Community"] by Dino Dai Zovi in November 2012.
+
* See [http://techchannel.att.com/play-video.cfm/2013/1/8/Conference-TV-CSAW-THREADS-2012-iOS-Jailbreak-Analysis the presentation "Strategic Analysis of the iOS Jailbreaking Development Community"] by Dino Dai Zovi in {{date|2012|11}}.
   
* [[i0n1c]] has given several presentations on iOS jailbreaking techniques, and there are PDFs of his slides available online, including: [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf "iOS Kernel Exploitation"], [http://reverse.put.as/wp-content/uploads/2011/06/D2T1-Stefan-Esser-iPhone-Exploitation-One-ROPe-to-Bind-Them-All.pdf "iPhone Exploitation: One ROPe to bind them all?"], and [http://antid0te.com/CSW2012_StefanEsser_iOS5_An_Exploitation_Nightmare_FINAL.pdf "iOS 5: An Exploitation Nightmare?"]. He has also recommended a couple of books: [http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X ''The Shellcoder's Handbook''] and [http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426 ''The Art of Software Security Assessment'']. You may also find it interesting to read [https://www.sektioneins.de/en/blog/13-07-03-trainingFrankfurt.html his outline for a workshop on developing kernel exploits] - note the requirements (knowing ARM assembly, ROP, buffer overflows, integer overflows; having access to IDA Pro, Hexrays, BinDiff).
+
* [[i0n1c]] has given several presentations on iOS jailbreaking techniques, and there are PDFs of his slides available online, including: [https://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf "iOS Kernel Exploitation"], [http://reverse.put.as/wp-content/uploads/2011/06/D2T1-Stefan-Esser-iPhone-Exploitation-One-ROPe-to-Bind-Them-All.pdf "iPhone Exploitation: One ROPe to bind them all?"], [http://antid0te.com/CSW2012_StefanEsser_iOS5_An_Exploitation_Nightmare_FINAL.pdf "iOS 5: An Exploitation Nightmare?"], and [http://www.slideshare.net/i0n1c/ruxcon-2014-stefan-esser-ios8-containers-sandboxes-and-entitlements "iOS8 Containers, Sandboxes and Entitlements"]. He has also recommended a couple of books: [http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X ''The Shellcoder's Handbook''] and [http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426 ''The Art of Software Security Assessment'']. You may also find it interesting to read [https://www.sektioneins.de/en/blog/13-07-03-trainingFrankfurt.html his outline for a workshop on developing kernel exploits] - note the requirements (knowing ARM assembly, ROP, buffer overflows, integer overflows; having access to IDA Pro, Hexrays, BinDiff).
   
 
* Check out [http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit this analysis of JailbreakMe 3.0] ([[Saffron]]).
 
* Check out [http://esec-lab.sogeti.com/post/Analysis-of-the-jailbreakme-v3-font-exploit this analysis of JailbreakMe 3.0] ([[Saffron]]).
Line 29: Line 35:
 
* Members of the team that built [[Corona]] for iOS 5.0.1 gave presentations about it, and there are PDFs of their slides available here: [http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Jailbreak%20Dream%20Team%20-%20Corona%20Jailbreak%20for%20iOS%205.0.1.pdf Corona for A4] and [http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Jailbreak%20Dream%20Team%20-%20Absinthe%20Jailbreak%20for%20iOS%205.0.1.pdf Corona/Absinthe for A5].
 
* Members of the team that built [[Corona]] for iOS 5.0.1 gave presentations about it, and there are PDFs of their slides available here: [http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Jailbreak%20Dream%20Team%20-%20Corona%20Jailbreak%20for%20iOS%205.0.1.pdf Corona for A4] and [http://conference.hitb.org/hitbsecconf2012ams/materials/D2T2%20-%20Jailbreak%20Dream%20Team%20-%20Absinthe%20Jailbreak%20for%20iOS%205.0.1.pdf Corona/Absinthe for A5].
   
* Here's some analysis of [[evasi0n]] [http://blog.accuvant.com/bthomasaccuvant/evasi0n-jailbreaks-userland-component/ from Accuvant Labs] and [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html from Azimuth Security], along with [http://www.forbes.com/sites/andygreenberg/2013/02/05/inside-evasi0n-the-most-elaborate-jailbreak-to-ever-hack-your-iphone/ a high-level explanation from planetbeing]. The evad3rs team gave [https://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf a presentation about evasi0n with slides available].
+
* Here's some analysis of [[evasi0n]] [http://blog.accuvant.com/bthomasaccuvant/evasi0n-jailbreaks-userland-component/ from Accuvant Labs] and [http://blog.azimuthsecurity.com/2013/02/from-usr-to-svc-dissecting-evasi0n.html from Azimuth Security], along with [http://www.forbes.com/sites/andygreenberg/2013/02/05/inside-evasi0n-the-most-elaborate-jailbreak-to-ever-hack-your-iphone/ a high-level explanation from planetbeing]. The evad3rs team gave [https://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Pod2g,%20Planetbeing,%20Musclenerd%20and%20Pimskeks%20aka%20Evad3rs%20-%20Swiping%20Through%20Modern%20Security%20Features.pdf a presentation about evasi0n with slides available]. geohot wrote a [http://geohot.com/e7writeup.html detailed analysis] of [[evasi0n7]].
  +
  +
* Play with [http://damnvulnerableiosapp.com/ Damn Vulnerable iOS Application (DVIA)], "a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment".
   
 
* Study the available [[Open Source Jailbreaking Tools|open source jailbreaking tools]].
 
* Study the available [[Open Source Jailbreaking Tools|open source jailbreaking tools]].
Line 36: Line 44:
   
 
* If you want to really get started, learn assembler for [[ARM]] processors. [http://opensecuritytraining.info/Training.html Open Security Training] has "Introduction to ARM" materials, for example.
 
* If you want to really get started, learn assembler for [[ARM]] processors. [http://opensecuritytraining.info/Training.html Open Security Training] has "Introduction to ARM" materials, for example.
  +
  +
* [http://www.newosxbook.com/index.php?page=notes Jonathan Levin] posts interesting iOS reverse engineering research. His series of books on "*OS Internals" are a definitive reference. In particular, Volume III deals exclusively with security, insecurity, and dissects every modern jailbreak from evasi0n (6.0) through async_wake (11.1.2) in detail.
   
 
===Now===
 
===Now===

Latest revision as of 14:08, 17 September 2021

So, all of this sounds intimidating. Jailbreak, sign, secpack, unlock, baseband, iBoot, seczone, JailbreakMe, pwnage - there are lots of terms to learn, but most of them are defined here on the wiki. The basics:

  • Activation - to bypass the required iTunes signup.
  • Jailbreak - to allow full write and execute privileges on any Apple TV, iPad, iPhone or iPod touch.
  • Unlock - to allow the use of any mobile phone carrier's SIM.

Think of iPhone as a little computer, even though Apple doesn't want you to. It has a processor, RAM, a "hard drive", an operating system, and a cellular modem on the serial port.

Ways to learn about how jailbreaks work

(If you're more interested in learning how to develop for jailbroken devices, such as extensions/tweaks, check out the iPhoneDevWiki instead.)

The basic idea here is that there are lots of ways to learn more about jailbreaking, for people of all experience levels and backgrounds. You might want to learn enough to actually find vulnerabilities in iOS (which is a huge undertaking), or you might just enjoy learning a little bit out of curiosity. Go through this list and pick something that looks fun to read!

  • Read iOS Hacker's Handbook, published in May 2012: "The award-winning author team, experts in Mac and iOS security, examines the vulnerabilities and the internals of iOS to show how attacks can be mitigated. The book explains how the operating system works, its overall security architecture, and the security risks associated with it, as well as exploits, rootkits, and other payloads developed for it."
  • Read fuzzing for some explanation of how that technique has been used on iOS, and read how to reverse for some inspiration.
  • If you want to really get started, learn assembler for ARM processors. Open Security Training has "Introduction to ARM" materials, for example.
  • Jonathan Levin posts interesting iOS reverse engineering research. His series of books on "*OS Internals" are a definitive reference. In particular, Volume III deals exclusively with security, insecurity, and dissects every modern jailbreak from evasi0n (6.0) through async_wake (11.1.2) in detail.

Now