Introduction
I've started to get into Mobile Pen Testing and purchased an iPhone SE 2 (2020) to help with the iOS side of the house since the "newest" device I had laying around was an iPhone 4S. These are my notes around this device.
Jailbreak
Summary
First, keep in mind that jailbreaking your device may damage your device if you are not careful and it may interfere with your warranty. I take no responsibility if something bad happens and you have to buy a new device.
I received my iPhone SE 2 (2020) on June 4th, 2020 and needed to jailbreak to best leverage the iPhone's capabilities to assist in iOS Pen Testing.
unc0ver 5.0.1 was release on May 25th, 2020 and exploited a Kernel bug in iOS 13.5, which allowed every single iOS device to have a semi-untethered jailbreak. Semi-untethered means it will persist until you reboot your iPhone, but you are able to jailbreak again without the aid of any other devices.
Apple patched this Kernel bug with 13.5.1 on June 1st, 2020. As of June 4th, 2020, Apple is still signing iOS 13.5, which means that you can still upgrade to this version if you're on a lower version. Apple will, however, stop signing 13.5 very soon to stop people from jailbreaking, so if you have the ability to get on 13.5, I highly recommend doing so and dumping your .SHSH2 blob so that if you decide to keep your device Jailbroken on 13.5 and something bad happens, you can easily restore to 13.5 well after Apple stops signing iOS 13.5 and prohibits people from installing it via official means.
Update to iOS 13.5
Summary
unc0ver 5.0.1 is designed for iOS 13.5, but as of June 1st, 2020, iOS 13.5.1 is the most current version, which means that updating to 13.5 isn't as straight forward as it could be, but still isn't hard. I'll be using Windows 10 for this as I need iTunes. When I got my iPhone SE 2 (2020) on June 4th, 2020, it was on iOS 13.4.1, so I needed to upgrade it to iOS 13.5.
Required Software
You will need to download and install the following software:
- iTunes (NOT UWP version. If you installed from the Microsoft Store, uninstall it first)
I won't walk through installing iTunes since it's pretty standard affair. Make sure you can run it and it sees your iPhone.
You will need to download the iOS 13.5 IPSW file from ipsw.me.
They're different for each device, but you can find the one I used below:
Update
Go to the iDevice Summary page. You'll see you are prompted to install iOS 13.5.1. You can select a specific firmware by holding Shift
and clicking Update
. Select the iOS 13.5 IPSW we downloaded above and the process of updating to 13.5 will begin.
Once finished, go to iOS Settings
=> General
=> About
and confirm you are on iOS 13.5.
unc0ver 5.0.1
Summary
In this phase, we will be jailbreaking our iOS 13.5 device with unc0ver 5.0.1. I did this on Windows using AltStore, but there are instructions on the unc0ver website on how to do this on iOS, macOS, Windows, and Linux. Some methods cost money ($100/yr for an Apple Developer account) or require you to already be jailbroken. This method requires neither.
Required Software
You will need to download and install the following software:
- iTunes (NOT UWP version. If you installed from the Microsoft Store, uninstall it first)
- iCloud
- AltStore
I won't walk through the installation since it's pretty standard affair. Install them all and make sure they run. To confirm AltStore has properly been installed, check for it (a diamond icon) in your Windows taskbar. You will need to run it first before it will appear here.
Install AltStore
Open iTunes and make sure your iDevice is connected.
Click on the AltStore diamond in the Windows taskbar, and click Install AltStore
=> <iDevice Name>
.
Enter your Apple ID username and password.
You might be prompted to install iCloud if it isn't already installed.
You will then be prompted to enter your 2FA pin.
From here, you should have the AltStore icon on your iPhone.
Install unc0ver 5.0.1
In Safari on your iDevice, navigate to https://unc0ver.dev and click Download v5.0.1
. Save the unc0ver-v5.0.1.ipa
to your iDevice and open AltStore.
Click the My Apps
option at the bottom and the +
icon in the top left corner. Select unc0ver-v5.0.1.ipa
and install it.
You will now see its icon on your iPhone, however, if you try to run it, it will say it was created by an Untrusted Developer
.
Go to Settings
=> General
=> Device Management
=> <your email>
and click Trust "<your email>"
. Click Trust
on the prompt. It should now open properly.
Jailbreak
Open the unc0ver
app and click Jailbreak
.
It will prompt you that you will need to reboot to finish the jailbreak process. Click OK
.
Open the unc0ver
app and click Jailbreak
again.
It will prompt you that No error occurred
and that the device will reboot into the jailbroken state
.
Cydia
One of the hallmarks of a Jailbroken iDevice is the Cydia application. This should now be present on your homescreen.
Prohibit Future Updates
I highly recommend that you stop your iPhone from updating if you wish to say on the jailbreakable 13.5. There is a bug in unc0ver 5.0.1 that makes this a little counter-intuitive. If you open iOS Settings
=> General
=> Software Update
, you will see that 13.5.1 is available. This should not happen.
First, let's stop it the "official" way and click on Automatic Updates
and set the toggle to Off
.
Now let's do it the unc0ver way for additional protection. Launch the unc0ver
app and select the cog in the top left corner. Note that the Disable Auto Updates
toggle is currently Blue
(On
). You must turn this to Black
(Off
) in order for updates to be stopped. I know this is backwards. This is the bug I mentioned earlier. Click Done
and click Re-Jailbreak
.
Now when you go to iOS Settings
=> General
=> Software Update
, you will see that it was Unable to Check for Update
. This is the desired state and you are now safe.
Backup .SHSH2 Blob
Summary
Typically, you can only install an iOS version while Apple is signing it. The .SHSH2 blob is a file that can be used to restore/downgrade to a specific iOS version well after Apple has stopped signing it. .SHSH2 blobs are specific to YOUR iDevice and can be generated for a version of iOS only while Apple is still signing it, so time is of the essence. As of June 4th, 2020, Apple is still signing iOS 13.5, so you are still able to generate the .SHSH2 blobs for your device so you can make sure you're always able to have a jailbroken iOS 13.5 iDevice.
Install System Info
There is a tweak called System Info
that is available in a Cydia repository after adding said repository. This tweak shows you all the information you could possible need for this step and more.
Open the Cydia app on your phone and go to the Sources
menu item. Click Edit
in the top right corner and Add
in the top left corner. Type https://apt.xninja.xyz
and click Add Source
.
Once added, go back to Sources
and click on ARX8x's repo
=> All Packages
=> System Info
. Click Modify
in the top right corner and click Install
.
Backup .SHSH2 Blob
I find the easiest way to back up your .SHSH2 blob is via email, but these steps will save it to your device so you can back it up however you like. If you're doing email, make sure it is set up before continuing.
Open iOS Settings
=> About
and navigate to the System Info
section.
Locate the ECID
line and swipe it from Right
to Left
. Click Save SHSH2
. Select 13.5 - 17F75
from the options to back up your iOS 13.5 .SHSH2 Blob.
You may be prompted with 405 - no pairs found for ECID
. Click Derive New
. If it says ApNonce Pair
, you should be fine to Use
the old pair, but you can Derive New
if you want. Either way, you should definitely make the ApNonce Pair
window appear and save it in your backups in case you need to use your SHSH2 blob to restore in the future.
It will save your .SHSH2 blob to /private/var/mobile/SHSH/13.5/*.shsh2/
. Click the Share
button and email it to yourself. Note the the name of the file is in the following format:
<Generator in Decimal Form>_<Model Identifier>_<ApNonce>.shsh2
I would highly recommend leaving it named this way so that you have this information easily available when you need it.
While you're here, it couldn't hurt to have a screenshot of the entire System Info page for your backups.
Verify .SHSH2 Blob
With your .SHSH2 Blob backed up on your computer, you can got to the Blob Checker and upload your Blob. The Identifier and Version should fill automatically, but verify they are correct and that you are not a robot and click Submit
.
You should recieve the message SHSH2 is valid!
and you should be good to go. It doesn't hurt to keep a copy of all the text on this page and make sure your .SHSH2 is safely backed up alongside this information and the screenshots of your System Info
.
Items to Backup
Summary
So far we have jailbroken iOS 13.5 with unc0ver 5.0.1 and dumped the .SHSH2 blobs. I also wanted to briefly touch on what to do if things go super wrong and you need to restore your device to iOS 13.5 well after Apple has stopped signing it. Unfortunately, I couldn't find great instructions and it appears that newer devices may not be able to do much at the current time without a jailbreak already in place. I'll look more into it when I cross that bridge. In the meantime, here's a list of information that you should definitely make sure you have backed up.
You will need to download the iOS 13.5 IPSW file from ipsw.me.
You will need the following information:
- ECID: Found in iTunes by connecting the device and clicking the Serial Number (Ex: 4485E2859345B)
- Model Identifier: Found just like ECID (Ex: iPhone12,8)
- Your SHSH2 Blob
- Your Nonce Generator
Get your ECID and Model Identifier
Open iTunes and connect your device. Go to the devices page and click the Serial Number
. This will cycle through your Serial Number
, UDID
, ECID
, and Model Identifier
. It probably wouldn't be a bad idea to just keep all of this information in your notes.
Get your SHSH2 Blob
You can follow my previous step on getting the .SHSH2 Blob to get yours.
Get your Nonce Generator
We will first need to get the Nonce Generator Key associated with your backup. The best place to get this is from within the .SHSH2 blob itself. Look for the following lines around line 166
.
<key>generator</key>
<string>0x[YourGenerator]</string>
What now?
With all of this information securely backed up, let's say your iDevice accidentally gets updated or is unable to boot. It is possible that, even well after Apple has stopped signing your iOS version, that you can restore your device back to the desired iOS version. The steps appear to vary based on device, and it seems like there isn't great information for A13 devices yet, but most of them use 3rd party tools like FutureRestore alongside the information on this page to allow you to restore.
Tools
Burp Suite
Summary
Burp Suite is a great tool that essentially acts as a middle-man between your client (browser, device, etc.) and a server it is trying to communicate with. You're able to capture, inspect, replay, modify, etc. all the network requests sent between the two.
Unfortunately, it can take a good amount of work to get it to cooperate with iOS.
Installation
Installation is pretty straight forward, you just go to the Download page and install it on your local workstation.
Configuration
I'm currently on Windows 10, so depending on your OS, some things are going to be a LITTLE different, but I'm hoping that this will provide you a good starting point. I do not believe you need a jailbroken device for the basic functionality of Burp Suite, but it certainly doesn't hurt. I am writing this guide with the following setup:
OS: Windows 10 (10.0.19041 Build 19041) iDevice: iPhone SE 2 iOS: 13.5 (jailbroken) Burp Suite: 2020.6A
Huge shout out to the people in this portswigger thread who provided a lot of the missing pieces.
Delete Old Stuff
If you're here, you've probably tried a lot of things that may cause conflicts with the setup I'm doing here, so I recommend you start from a clean slate. I'd go to Settings
=> General
=> Profiles & Device Management
and delete any Burp related certs under Configuration Profile
. If you have anything under Developer App
, I would recommend leaving it because that's probably AltStore and how you're jailbreaking. Just click the Profile, click Remove Profile
, and enter your pin.
Generate a Certificate
Apple decided to make our lives hard by hardening the requirements for trusted certs in iOS 13 so we will need to create our own certs rather than using the ones Burp Suite generates.
I have Ubuntu 20.04 installed with WSL2 on Windows 10 and I don't want to go into how to set that up here, but essentially, you just need access to the openssl
command.
Run the following commands to generate your new certificates:
Create Certificate Directory
cd /mnt/c/Program\ Files/BurpSuite* mkdir certificates cd certificates
Generate Certificates
openssl req -x509 -nodes -newkey rsa:4096 -keyout myBurpCA.key -out root-ca.crt -days 365 -subj "/C=CA/O=Burp/OU=Certification Services/CN=MyBURPRootCA/" -addext "extendedKeyUsage=1.3.6.1.5.5.7.3.1" openssl pkcs12 -export -out BurpRootCA.pfx -inkey myBurpCA.key -in root-ca.crt
You will be asked to enter a password. Make sure it is one you will remember.
Configure Burp Suite to use TLS 1.2
It would appear that you need to make Burp Suite use TLS 1.2 in order to fully get it to work as TLS 1.3 will cause problems. You can do this by editing C:\Program Files\BurpSuitePro\BurpSuitePro.vmoptions
.
Before
# Enter one VM parameter per line # For example, to adjust the maximum memory usage to 512 MB, uncomment the following line: # -Xmx512m # To include another file, uncomment the following line: # -include-options [path to other .vmoption file] -XX:MaxRAMPercentage=50
After
# Enter one VM parameter per line # For example, to adjust the maximum memory usage to 512 MB, uncomment the following line: # -Xmx512m # To include another file, uncomment the following line: # -include-options [path to other .vmoption file] -XX:MaxRAMPercentage=50 -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.server.protocols=TLSv1,TLSv1.1,TLSv1.2
Import Certificate into Burp Suite
Open Burp Suite and navigate to Proxy
=> Options
and select Import/export CA certificate
.
Under Import
, select Certificate and private key from PKCS#12 keystore
. Click Select file...
and navigate to the folder you created the certificates in. Select the file ending with .pfx
and enter your password. Click Next and Close.
While you're here, make sure you select the Proxy Listener
, click Edit
, and change the address to either All interfaces
or the external IP of your computer on the same network as your iDevice.
Install Certificates on iPhone
On your iDevice, go to Settings
=> Wi-Fi
and select the blue i
next to your network name. Select Configure Proxy
under HTTP Proxy
and select Manual. Enter the Burp IP Address and Port and click
Save`.
Open Safari
and navigate to http://burp
. Click CA Certificate
in the top right corner and click Allow
. It will tell your that the Profile Downloaded
and that you will need to install it in the Settings
app.
Open Settings
and you should see Profile Downloaded
at the top of the main Settings page. Click it. If you do not see it, go to General
=> Profiles & Device Management
and you should see it under Downloaded Profile
. Click it and click Install
. Enter your passcode and click Install
two more times. You should now see a green Verified
checkmark.
Now you need to tell the iPhone that it should absolutely trust this certificate authority. Navigate to Settings
=> General
=> About
=> Certificate Trust Settings
and flip the grey selector to green next to the name of your certificate authority.
Smoke Test
The easiest way to test that this is working properly is to go to https://burp
. You should see a lock next to burp
in the address bar. That's boring, though. You should now be able to do whatever you like, such as snooping on nearly all programs and visiting any website.
Supposedly there may be some issues with certain apps, and I don't really know the exact implications of disabling TLS 1.3 since most websites do not strictly require only TLS 1.3, but keep in mind that we did disable it in case you run into issues in the future.
If you're still running into issues, I DO have SSL Kill Switch 2 installed as described on my page for that, so I'd give that a shot as well. I don't actually know how much it is affecting the fact that I am able to snoop on any app I've tried.
Cydia Impactor
Summary
Cydia Impactor is a tool that makes installing unsigned IPAs on your iPhone a breeze. It's avaliable on macOS, Linux, and Windows, however, for this tutorial, I will be focusing primarily on Windows as that's what I have installed this week.
The biggest downside to this is that it requires an Apple Developer ID, which costs $100 per year. That's no small change, but if you're working with the iPhone on a regular basis, it's well worth the cost to not have to deal with things like unsigned IPA's being difficult to install, having to re-sign everything every 7 days and the hassle of forgetting to re-sign AltStore, or having a limit of 10 apps you can sign per week. I can say with certainty that I will make up the $100 (and then some) in the time that I would have lost without this.
Apparently there's a way around needing a developer account with a Cydia Substrate tweak, but I believe I'd still have issues considering I'm on iOS 13.5 with unc0ver and that isn't a permanent jailbreak. If $100 per year is too steep for you, I recommending figuring out how to go about that.
Installation & Setup
Purchase an Apple Developer Account
I don't know how the exact process works these days since I set mine up in like 2007 and was just able to renew it, but it should be pretty self explanitory.
You will then need to create an App-Specific Password to use with Cydia Impactor. Depending on how much is linked to your Apple account, it might not be a terrible idea to create a second account and it as a Developer to your main account, then create an App-Specific Password for that new account. That way, if it gets leaked, you aren't giving out access to your main account. I do not know if this is possible with personal accounts, though.
"Install" Cydia Impactor
You can download Cydia Impactor here and extract it. It's a 32-bit program with no proper installer, so I opted to move the folder to C:\Program Files(x86)\Impactor
and create a shortcut in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Impactor
called Impactor
so I could easily launch it in the future.
Setup Cydia Impactor
I'll take the time to note here that the application is not resizeable and looks terrible on my 4k monitor due to resizing issues seen below.
To fix this, I right clicked on Impactor.exe
and clicked on Properties
=> Compatibility
, Change high DPI settings
and changed Override high DPI scaling behavior
to System (Enhanced)
. Much better!
Now that everything's pretty and installed, we can move on to setting up a few QoL things.
Cydia Impactor will, by default, ask you for your username and app-specific password every time you try to install an app. This can get annoying pretty quickly if you install a lot of apps. To get around that, you can hit the Super (Windows) Key
and type env
. Press Enter to open Edit the system environment variables
. Click on Environment Variables
and add two new entries to the top pane.
IMPACTOR_APPLEID_USERNAME
IMPACTOR_APPLEID_PASSWORD
These should be fairly obvious, so put in your username and app-specific password here.
Usage
Once you have all of the above set up, you should be able to just connect your iPhone via USB, make sure it is selected from the list, and drag the IPA onto the Window. Within moments, your IPA should be installed on your device.
If you're looking to get started with something, I'd check out the OWASP MSTG Crackme's.
NOTE: I've been having some issues with Cydia Impactor recently that are causing an error whenever the ipa I'm trying to upload is being validated. I've been meaning to look into this more, but for the meantime, I've been using AltStore with my Developer Account to get unlimited apps that don't expire in one week.
Frida
Summary
Frida is an awesome utility that has made its name known across Mobile Penetration Testers. It allows you to write JavaScript code to inject into running processes in order to change the function of processes and methods/functions on the fly. As an example, if you're testing an application and would like to bypass a login request, you can use Frida to hook the function checking if you supplied the proper password to return that you did.
Installation
- Start
Cydia
and navigate to theSources
Page. - Click
Edit
in the top right corner, thenAdd
in the top left. - Enter
https://build.frida.re
aand clickAdd Source
. - Click on
build.frida.re
in your list of sources and clickAll Packages
. - Install the corresponding package for your device.
- Reboot
I chose Frida for A12+ devices on my
iPhone SE 2`. If you don't know what your device is, you can check the following list:
- Frida for 32-bit devices:
- Devices released on/before September 2012 (iPhone 5 and older)
- Frida for pre-A12 devices:
- Devices released between September 2013 and September 2017 (iPhone 5S to iPhone 8/X)
- Frida for A12+ devices:
- Devices released after September 2018 (iPhone XS/XR and newer)
Smoke Test
I won't go through how to install Frida on your workstation, but it needs to be done. You can find instructions here.
If you haven't done so already, you will need to make sure that the device is connected via USB and unlocked. Then run the following command:
idevicepair pair
You will be prompted with ERROR: Please accept the trust dialog on the screen of device <UDID>, then attempt to pair again.
Click the Trust
button on the dialog on your iPhone and run the previous command again. You should now see SUCCESS: Paired with device <UDID>
You can test that everything is working by running the following command:
frida-ps -U
If you recieve the message Failed to enumerate processes: this feature requires an iOS Developer Disk Image to be mounted; run Xcode briefly or use ideviceimagemounter to mount one manually
, you will need to download the Developer Disk Image from this GitHub Repository. It needs to match the iOS version on your device, so since I'm usingiOS 13.5, I would download this Disk Image.
Once downloaded, unzip it and go to its directory. Unlock the device and run the following command:
ideviceimagemounter DeveloperDiskImage.dmg DeveloperDiskimage.dmg.signature
If you're getting mount_image returned -3
, you may be fine. Try frida-ps -U
again. I spent way too long trying to figure out why it wasn't working, when it really was.
You should see output similar to:
PID Name
--- --------------------------------------------------------
569 Cydia
957 Settings
546 Siri Search
451 ACCHWComponentAuthService
439 AppleCredentialManagerDaemon
561 AssetCacheLocatorService
472 BlueTool
518 CAReportingService
552 CMFSyncAgent
494 CloudKeychainProxy
448 CommCenter
463 CommCenterMobileHelper
555 ContainerMetadataExtractor
...
Usage
I may add to this with some of my own stuff at some point, but for now, I recommend you check out the OWASP MSTG Crackme's as several of those have iOS Frida solutions.
Liberty Lite
Summary
NOTE: This isn't working for me on iOS 13.5 on the iPhone SE 2 as of June 4th, 2020. I'm going to leave it installed in hopes that it eventually works, though.
Liberty Lite is a tweak that can be installed via Cydia to hide the fact that you are on a jailbroken device. In order to properly verify that Liberty Lite is working, I recommend having an app in mind that you know will not run if a Jailbreak is detected. Try to open it before and after the following steps.
Installation
- Start
Cydia
and navigate to theSources
page. - Click
Edit
in the top right corner, thenAdd
in the top left. - Enter
https://ryleyangus.com/repo
and clickAdd Source
. - Click on
Ryley's Repo
in your list of sources and clickAll Packages
. - I saw several reports that
Liberty Lite (Beta)
is the only one to work with iOS 13, so I installed that one. - Click
Restart Springboard
.
Configuration
Go to iOS Settings
=> Liberty Lite
=> Block Jailbreak Detection
and enable the applications you wish to hide your jailbreak on.
SSL Kill Switch 2
Summary
SSL Kill Switch 2 can be installed as a Cydia Substrate tweak on a jailbroken device and allows you to perform a man-in-the-middle attack on anything running on your iPhone, regardless if the developer of whatever application properly pinned their SSL certificates. This makes the device incredible insecure, but it great when we want to snoop traffic using something like Burp Suite.
Installation
I had a lot of trouble getting Burp Suite to work with iOS 13.5, but one of the things I have installed in my current (working) configuration is a modified SSL Kill Switch 2 from julioverne that was a result of a TweakBounty.
Open Cydia
and go to Sources
=> Edit
=> Add
and add the following URL:
https://julioverne.github.io
Navigate to julioverne's Repo
=> Tweaks
=> SSL Kill Switch 2 (iOS 13)
and Install it.
Open Settings
=> SSL Kill Switch 2
and toggle Disable Certificate Validation
to on (green).