Anatomy of an Exploit: iPhone Command Line Access
In this second part of the series, Chris shows us how to get command line access to you iPhone.
Join the DZone community and get the full member experience.Join For Free
So, in the previous article, I described the new Pangu jailbreak, how you can install it, what it does (from a particular point of view), and how you use it. Since I wrote the last piece, Pangu released an English version of the jailbreak, so if your Chinese is a little rusty, you might want to go with that version. The rest of the instructions should remain the same.
Alright, so now that we have a jailbroken iPhone, let's talk about how you can make it useful for reverse engineering and application penetration testing. I use a mac, so these instructions will be mac-centric; if you're on another platform, some of this will definitely work, some of it may not.
Here, I'm going to cover the initial tools you need to install and the possible pitfalls involved with getting command line access to your (no longer under warranty, I should add) iPhone.
Initial Workstation Configuration
The very first thing you should do is install Gandalf or a similar USB multiplexing tool. This is vital — as soon as you install OpenSSH on your phone, you must change the device root password. The root password generally used is alpine, and this is common knowledge; as soon as your phone is available via SSH, it's vulnerable. This is the same password for the mobile user; you should change the password for that user too.
Configuring the Testbed
So, at this point, you have a jailbroken phone with Cydia (think of Cydia as an app store for tweaks and jailbreaking tools). Cydia, really, is a front-end for the debian package manager. You can install these tools using apt-get and it's ilk if you'd like. You'll need to install a few things first, though.
First, install OpenSSH and the Bigboss Recommended Tools. If you select the magnifying glass icon at the bottom of Cydia, and then search for OpenSSH, it'll show up in the results list. Go ahead and select it, and follow the prompts. You find the Bigboss tools the same way. The OpenSSH package contains what you'll need to access the command line on the phone, while the Bigboss tools is a package of commonly used Unix utilities that you'll want to have on the phone when you log in.
After these are installed, DISCONNECT YOUR PHONE FROM THE INTERNET. Remember, iPhones have a common, widely known root password — you need to change it.
Changing the Root Password
So your phone no longer has internet connectivity. Connect your phone to your mac via your phone's USB cable, then run gandalf to find the UUID of the phone. With that information, you can now create a gandalf configuration file and use gandalf to create an SSH over USB connection to the phone, following the instructions on the gandalf page.
Log in to the phone using the root/alpine username/password combination. Immediately change your password, and send it to me (haha, please don't).
In the past, I installed mobile terminal so I could get a command line on my phone without logging in. Unfortunately, that application is 32-bit and doesn't run in 9.3.3 in my experience.
At this point, you have a small, portable 64-bit computer you can log into via SSH (either over USB or TCP/IP if you have the IP address of the device). Next, we'll discuss the tools you'll want to install on the device and on your computer to begin to do iPhone security research.
Opinions expressed by DZone contributors are their own.