Bypassing iPhone Code Signatures

From The iPhone Wiki
Revision as of 04:32, 12 August 2008 by Dialexio (talk | contribs) (Please do NOT just copy and paste without edits.)
Jump to: navigation, search

Since the developer betas of the iPhone firmwares, Apple has started requiring all code on the device is signed. This is mostly to thwart unauthorized applications on the iPhone. To get around this (and thereby to install our own code onto the device) The dev team patched signature verification out of the kernel. However, another half of the code signing problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is difficult (especially to track as Apple makes changes) and of marginal benefit as adding these hashes is easy. There are currently three viable options.

Option #1: Self-Signing

This method is the simplest: using Apple's codesign tool to sign the binary. Since the signature verification checks have been removed from the kernel, any signature, including those not authorized by Apple, can do this.

Option #2: Pseudo-Signing

For some, the previous option just doesn't work. Not everyone uses Macs to develop and the entire codesign path requires not only a Mac but console access because codesign is, at some level, a graphical utility (the way it uses Keychain to get the signatures may prompt, with dialogs, for passwords). To get around this, there is a tool called ldid that, among other things, can generate the SHA1 hashes that are checked by the kernel. This tool is easily installed on the iPhone using Cydia or APT.

Option #3: Disable Checks

This option is really convenient for development purposes. Now, technically, this disables a lot more than just the codesign check, and its also more disabling the penalty than the check itself. In some cases, this may cause problems: being unable to connect to insecure Wi-Fi networks being the largest. This is done by using sysctl to deactivate the enforcement and can be undone either by resetting the variables back on or by rebooting. sysctl -w security.mac.proc_enforce=0 sysctl -w security.mac.vnode_enforce=0 As this does seem to cause some problems, here are 2 simple ways to undo this change: reset the variables back to 1 or reboot (every time the phone starts these default back to on). sysctl -w security.mac.proc_enforce=1 sysctl -w security.mac.vnode_enforce=1

Resources

Bypassing iPhone Code Signatures