Introduction
This article is a kickoff read for people who are trying to get their hands dirty in iOS application security. If you have an iPhone, you must have heard the term ‘jailbreaking’ but might not have cared to search and know about it. So let’s look what, why, if and how we can jailbreak an iPhone.
What is Jailbreaking?
In simple words, jailbreaking your device gives you FREEDOM and lets you get the most out of it. It helps you in removing software restrictions imposed by Apple. Jailbreaking is the first step that must be taken to learn about what all is present in your iPhone. For those who doubt jailbreaking to be illegal, the answer is that jailbreaking is not illegal in any country right now. It’s just that you should not do anything that is against the copyright of Apple. Not to mention, it also voids your device warranty..
Types of Jailbreak
I’ll go by the community definition for each type, as things are more simpler to learn that way. There are currently four types of jailbreak-
- Untethered Jailbreak — Untethered jailbreak uses exploits that are powerful enough to allow the user to turn their device off and back on at will, with the device starting up completely, and the kernel will be patched without the help of a computer — in other words, it will be jailbroken even after each reboot.
- Tethered Jailbreak — A tethered jailbreak is only able to temporarily jailbreak the device during a single boot. If the user turns the device off and then boots it back up without the help of a jailbreak tool, the device will no longer be running a patched kernel, and it may get stuck in a partially started state, such as Recovery Mode. In order for the device to start completely and with a patched kernel, it must be “re-jailbroken” with a computer (using the “boot tethered” feature of a tool) each time it is turned on. All changes to the files on the device (such as installed package files or edited system files) will persist between reboots.
- Semi-tethered Jailbreak — A semi-tethered jailbreak is one where the device is able to start up on its own, but it will no longer have a patched kernel, and therefore will not be able to run modified code. It will, however, still be usable for normal functions, just like stock iOS, unlike a tethered jailbreak, which would not boot at all. To start with a patched kernel, the user must start the device with the help of the jailbreak tool.
- Semi-untethered Jailbreak — A semi-untethered jailbreak is similar to an untethered jailbreak, but it gives the ability to start the device on its own. On each boot, the device startup sequence is unmodified and it boots into its original, non-jailbroken configuration. However, rather than having to run a tool from a computer to jailbreak, like a tethered or semi-tethered cases, the user is able to re-jailbreak their device with the help of an app (usually sideloaded using Cydia Impactor) running on their device. In the case of the iOS 9.2–9.3.3 jailbreak, a Safari-based exploit was available, thereby meaning a website could be used to rejailbreak.
But, why to jailbreak it?
By jailbreaking your iPhone you can do the following -
- Get full access of the file system and all the binaries present on your iPhone
- Customize your iPhone using a tons of options
- Install unauthorized applications that are not present on the App Store
- Change wireless service providers
If & How can you jailbreak?
For jailbreaking, you need to know only the device name/model and iOS version. Once you get to know these two, just map them up in the tables mentioned in one of the below URLs:
- https://www.reddit.com/r/jailbreak/wiki/escapeplan/guides/jailbreakcharts
- https://www.theiphonewiki.com/wiki/Jailbreak#Jailbreak_Tools
For any FAQs regarding jailbreak, refer to the below mentioned URL:
https://www.reddit.com/r/jailbreak/wiki/faq
The Jailbreak process — Proof of Concept
For the proof of concept, I would be using iPhone 5S running on iOS 10.2.1
From the jailbreaking chart, three options are available to me i.e. Saïgon, Meridian and doubleh3lix. I would go for doubleh3lix option for the demo.
Note: You can jailbreak an iPhone using a computer running on any operating system (Windows, MacOS and Linux). If you are on Windows or MacOS, iTunes is required to be installed. You will also be requiring your Apple id for the process. If you do not have one, you can create one from here.
Step 1: Download Cydia Impactor and doubleh3lix jailbreaking IPA file. Make sure you have installed iTunes if you are on Windows or MacOS.
Step 2: Connect the iPhone to the computer via USB. Open Cydia Impactor and choose the name of the iPhone connected to it.
Step 3: From the application menu, click on Device and then click on Install Package.
Step 4: Select the IPA file from your file browser and click on ’Open’.
You can also combine Steps 3 & 4 by simply dragging and dropping the IPA file to Cydia Impactor.
Step 5: Make sure that you are connected to Internet and enter your Apple id and password.
Wait for the process to complete (It normally takes a couple of minutes).
Once the process gets completed, Impactor application will display a ‘Complete’ message. Otherwise, an error message will pop up on the screen.
Now, you will see a new application installed on your iPhone. (doubleH3lix in this case)
Step 6: Disconnect the iPhone from the computer. Go to Settings -> General -> Profile & Device Management
Step 7: Make sure that the iPhone is connected to the internet. Choose the same Apple id used in Impactor and tap on “Trust”.
Now the application is trusted and can be opened.
Step 9: Open the same application and tap on the button (‘Kickstart’ in this case).
Note: that the exploit may fail several times. Just make sure that you download all the software from their respective official websites.
Once the jailbreak is done, the iPhone will respring. A new application named Cydia will get installed on the device. You can consider Cydia to be the App Store for jailbroken devices.
The App Store and other applications that were installed will function as before. But we are not yet done with it. You have access to two users on your iPhone — ‘mobile’ and ‘root’. The first and most important step that you should do immediately after jailbreaking your iPhone is to change the default password for both ‘mobile’ and ‘root’ users i.e. alpine (all small letters).
To change the password, install MTerminal from Cydia application.
The Cydia Application will install MTerminal in the iPhone.
Open Terminal. Type ‘passwd’ and tap on ‘return’. You will be asked for old password. Type ‘alpine’. Then enter the new password you want to set and then retype. Do the same for ‘root’ user by typing the command ‘su’ in Mterminal.
Now you are done with it. Congratulations!
Conclusion
If you have followed the steps just as is, you can successfully set up a jailbreak environment for your iPhone and also secure it by changing the default passwords. Up next, we would learn about installing some basic tools (command line and GUI) that you must install in order to begin exploring your iPhone.
Image References: — https://images.google.com/
