Anatomy of an Exploit: Pangu Jailbreak
Anatomy of an Exploit: Pangu Jailbreak
In this first part of the series, Chris is going to take you step by step through how you can get and apply the jailbreak to supported devices.
Join the DZone community and get the full member experience.Join For Free
Update: There's a newer, English-based jailbreak from Pangu out as well. These instructions work for installing that Jailbreak too.
So if you follow the jailbreaking community at all, you've seen that Pangu just released a semi-tethered jailbreak for iOS 9.2 - 9.3.3. I'm going to spend the next couple of articles going over how to use the jailbreak to create a penetration testing platform on iOS 9.3.3, and then I'm going to use that platform to reverse engineer the jailbreak a bit.
There's some great guides out there on how to set up a pentesting environment for iOS, but they're really best applied to older versions of iOS. That said, they worked great on my 32-bit iPhone 4, and the basic methodology and most of the tools still work on my 64-bit iPhone 6.
In this first part of the series, I'm going to take you step by step through how you can get and apply the jailbreak to supported devices. Then, once we have command line access to your phone via SSH, we'll do some initial on-device analysis of the jailbreak. After that, we'll pull the jailbreaking application off the phone and continue our analysis off-device.
Remember, when you jailbreak, you are opening yourself up to other potential vulnerabilities. I do security research, and I never use any of my research devices for anything but research. I don't personally tweak any of my devices. If you're interested in that, that's fine, but it's not my cup of tea and you'll need to accept any risk associated with it.
In general, Apple is ambivalent about jailbreaking, as long as you're not stealing content. They don't warranty jailbroken devices either, so keep that in mind.
Applying Pangu 9.3.3 Jailbreak
So you may have heard that this jailbreak only works from Windows — this isn't true. I've seen this reported, but it's not the case. I used my mac, and I'm under the impression that you used to be able to apply this jailbreak without being tethered to a computer. I didn't do that, though, and I'm going to take you through exactly what I did. Remember, I do security research, so my perspective is different than many jailbreak users. I'm more interested in getting access to the underlying operating system than applying tweaks. That said, there's an extensive list of tweaks listed over on Reddit (/r/jailbreak) of tweaks that are supported under the new break if you're into that kind of thing.
So this is a semi-tethered jailbreak. What does this mean, exactly? well, in this case, if I reboot the phone, I lose my jailbreak. When this happens, OpenSSH doesn't work and I don't have access to the OS. Fortunately, the app that jailbreaks the device is still resident, and all I need to to is use the app to re-jailbreak the phone. An untethered jailbreak is active through reboots, while a tethered jailbreak requires me to attach the phone to a computer after reboot to re-jailbreak the phone. Personally, it doesn't matter to me whether the jailbreak is tethered or not, but if I was more interested in tweaks, I'd definitely prefer an untethered. Nevertheless, I'm thrilled the Pangu team released this - I know how much work putting together a jailbreak is, and I really appreciate their efforts.
Before you do any of this, backup your phone! In iTunes, create a backup of your phone and disable automatic syncing (you don't want to overwrite your backup). This is vital! if you don't, you may lose your jailbreak in the future if things go wrong.
First, you'll need to download a couple of things. Grab the jailbreak IPA and the iOS app signing tool. An IPA file is just a ZIP archive containing the application, and the app signer will let you apply your generated certificate to the IPA to install.
You'll also need XCode (the newest version) and, well, a Mac to run it on. You should also have an Apple Developer Account (go ahead and register, we'll wait), and you'll want to update your phone to iOS 9.3.3 (this is the recommended version for the jailbreak).
If you feel up to it, unzip the IPA file. Inside, you'll see the app itself, and the info.plist file (this is important later). The next thing we'll do is sign and install the app.
Alright, at this point, we have XCode installed, you have an apple developer account, we've downloaded the jailbreak IPA and the App Signer, and your phone's updated to iOS 9.3.3. Now, we need to generate a profile to sign and install the app. If you're a iOS developer, you already have your provisioning profile, you don't need to go through this (but you're probably not reading this anyway). If you do have a profile just go to the next step.
Otherwise, plug in your phone to your mac with the usual USB cable, and spin up XCode. You'll be prompted to create a new app - select a single page app (the simplest one), go through the various dialogs, and let XCode come up with the development environment.
Now, we want to configure XCode to use the phone for installation. In the upper left of the XCode window, you'll see something like this:
Click on the iPhone 6 section (this is the simulator, not an actual phone), and you'll see a drop-down menu. In that menu, at the top, you should see your device. Select it - this directs XCode to compile your app onto your phone.
Next, run the application. You can do this by pressing command-R or by clicking on the play button (shown in the first figure, at the left). When you do this, you'll be prompted to create a provisioning profile - follow the prompts, enter your Apple Developer credentials, and you should be good to go. Go ahead and leave this app on your phone for now — you can clean it off after you've jailbroken.
Now, install the app signing tool. This is as easy as opening the archive and copying it to your applications folder (or wherever you want to run it from). Open the signer, then select the version of the IPA that you downloaded in the first step as the input file. Select the iPhone Developer profile as the certificate you'll use, and leave the rest of the fields blank. Press start. You'll be prompted for a new IPA name - select a name that won't overwrite the original IPA. Something like PanguJailbreak is fine.
You've just generated a signed jailbreak.
Now, with XCode still open, go to Window > Devices. This will open the device management window from XCode. From here, drag and drop your signed jailbreak (PanguJailbreak.ipa) into the Installed Apps section. At this point, it should look something like this:
Follow any prompts to sync the device (it happens automatically for me). Now open your phone, you should see the Pangu jailbreak icon on your screen. You may be prompted to explicitly trust the profile - you can set this on your phone in Settings > General > Device Management (remember, this is ON YOUR PHONE, not in XCode).
You'll see an app icon with Chinese writing on your home screen. Open it. Here, you'll see a single large, round button, and a checkbox. Uncheck the checkbox, and click the big round button. Wait a few seconds (five or six), and lock your phone. Wait for your phone to reboot. It's best if you leave the room so you're not tempted to unlock the device while it's jailbreaking. It may take a couple of tries.
That's it! Next, we'll take a look at the actual jailbreak itself.
Opinions expressed by DZone contributors are their own.