An analysis on iOS

Jail-breakingRendered by Heqing

1

Outline• What is Jailbreak • Why to Jailbreak— a Self-redemption• iOS firmware authentication mechanism• identifying yourself (By pass the

firmware authentication )• Storing the SHSH for later

authentication• iOS exploits classification• iPhoneLinux—building your own

playgournd• Some related Legal Issues• Some Points of Jailbreaking

2

3

What is Jailbreak A. iOS is Apple's mobile operating system,

which is derived from Mac OS X, with which it shares the Darwin foundation, and is therefore a Unix-like operating system

B. Apple does not permit the OS to run on third-party hardware and also has a limitation on the usage of iOS on these iDevices

C. iOS has been subject to a variety of different hacking methods focusing on attaching functionality not supported by Apple.

4

What is jailbreak

• Hacking methods focusing on attaching functionality not supported by Apple is called iOS Jailbreak.

• A process that allows these iDevices users to gain the root access to the command line of the iOS operating system

5

Why to JailbreakA. Download extensions and themes that are

unavailable through the App Store (via installers such as Cydia)

B. Perform other tasks, including installing non-Apple operating systems such as Linux, running multi-task on old version of iDevices

C. Through the authentication server developed by the Jailbreak community built up to freely downgrade to certain version of firmware

D. Cydia creator Jay Freeman estimates that over 10% of all iPhones are jailbroken.

E. …..6

iOS firmware authentication mechanism

• SHSH Blob is short for Signature HaSH. SHSH Blob is a 128-byte RSA signature used to verify the validity of firmware on newer Apple iOS devices

• Exclusive Chip ID, or ECID is a 16-digit hexadecimal number used to uniquely identify Apple iDevices, which is now widely considered as a new security feature from Apple, implemented to stop Jailbreaking of future firmwares.

7

iOS firmware authentication mechanism

A. SHSH and the ECID of a device is combined to be used by Apple, as a challenge key in its challenge-response authentication protocol.

B. This authentication is done in order to perform digital signing on iOS software.

C. Then the response from Apple is the SHSH Blob itself, the digital signature required to validate the firmware.

8

iOS firmware authentication mechanism

A. During the restore process, users see "Verifying restore with Apple...”

B. iTunes in the authentication process is taken as the signing software and also the protocol enforcement party whenever the iOS software upgrade or restore.

C. When you restore your iDevice, iTunes contacts the Apple servers, to generate signatures, SHSH, just for your device, based on the personalized firmware, the iTunes will only authorized to restore the firmware version that addressed in SHSH, which is no downgrade available.

9

identify yourself --By pass the firmware

authentication A. Since Apple will only sign the most currently

published version of firmware, that is it stops signing any lower version of iOS on corresponding iDevice.

B. Some version-based Jailbreak will work only on the old unpatched firmwares.

C. Nightmare ? For Jailbroken iDevices. No!!!

10

identify yourself --By pass the firmware

authentication A. The static challenge key (ECID+SHSH), makes a

saved copy of the signature every useful in a replay attack to trick the signer iTunes into validating an old firmware.

B. A fake server that user can point the iTunes to by attaching a pair, like “126.192. 208.100 gs.apple.com” to the hosts file locally.

C. This server mimics the functionality of Apple’s signature server, which using “on file” results rather than apple’s live challenge and response.

D. This self-constructed server will play the man in the middle (MiM).

11

Save the SHSH for later authentication (reply

attack)A. Whenever to update of iDevice to a newer

firmware without saving ECID SHSH blobs, people not only lose jailbreaking but also the ability to downgrade their iDevice to an older firmware.

B. Even for the user who don’t playing a jailbreak, should consider using the new “on file” service.

C. There is a case that Apple releases an OS upgrade in the future, a user takes it, and then accidentally break something important, like the e-mail account, or todo list. 1

2

Save the SHSH for later authentication (reply

attack)A. This server acts as a cache for any SHSH blobs

it hasn’t seen, who effectively registers the users iDevice with the “on file” mechanism, therefore users can now enjoy the protections of being able to downgrade your firmware whenever in the future.

B. After one has just stored a copy of Apple's sign off and then returns it at a later point, a replay attack can be sufficient any time a downgrade is required by the user.

13

iOS exploits classification

• Why firmware version are so important?

• Specific exploits in related firmware.

• Three main types of exploits: Userland Exploits, iBoot Exploits and Bootrom Exploits

14

iOS exploits classification

Userland ExploitsA.The term userland refers to all the code that is not running in kernel space but in user space, like safari or mail receiver.B.It is untethered Jailbreak, user-friendly and platform independent, as it is related to the application layer but not the iBoot layer.C.Drawbacks : filesystem access only, no very low level control of the kernel; easily fixed.

15

iOS exploits classification

iBoot ExploitsA.Render low level control to the iOS, iBoot access. B.iBoot exploits are found in the iDevice’s third

bootloader, called iBoot. C.Break the code signing mechanism from iBoot, and

then user can install and run program that does all the ‘evil’.

D.Precious exploits, although it is tethered, since it is at a deeper level type of exploits, through which user could enable the device to accept custom firmware and probably jailbreak forever more

16

iOS exploits classification

Boot － ROM ExploitsA.The lowest level control to the iOS, completely

by pass the code signing mechanism. B.iDevice’s 1st bootloader, the SecureROM (code

flashed in the hardware) C.Disable signature checks and then load patched

NOR firmwareD.Cannot be patched easily by Apple, but need

new chip.

17

iOS exploits classification

Based on the layered exploits classification and corresponding mechanism and working environment introducing, is based on

this Bootchain below:

SecurityROM ->LowLevelBootloader(LLB)->iBoot->Kernel->System Software

Bootrom Exploits->iBoot Exploits ->Userlands Exploits

Each of high layer checks the signature of the next lower layer before loading into it.

18

iPhoneLinux program—building your own

playgroundA. the iPhonelinux, which is aiming at porting linux

on the iPhone and make a Free (free software) OS alternative

B. Replacing the BootChain that is after iBoot:

• SecurityROM ->LowLevelBootloader(LLB)->iBoot->Kernel->System Software

• SecurityROM->OpeniBoot->Linux Kernel->X Server->Window Manager

19

iPhoneLinux program—building your own

playgroundA. On April/21, 2010, an Android distribution

based on iPhoneLinux called iDroid was released, which fully port the Linux kernel and the Google Android OS to Apple's iDevices.

B. 'OpeniBoot' bootloader help the team finishing the work to boot the Linux Kernel, and enables users to boot any other Linux based operating system easily.

C. Build up their own playground on the iDevices, without restrictions from Apple

20

Legal IssuesA.Copyright ? B.Unlock their phone in order to switch carriers ?

C.To traffic in the tools used to make jail-breaking easy ?

D.Share paid App Store applications ?

21

Legal IssuesA. July 26, 2010, The U.S. Copyright Office has

approved exemptions to the DMCA the legally Jailbreak.

B. It is still possible Apple may employ technical countermeasures to prevent jailbreaking or prevent jailbroken phones from functioning, but they will not be able to sue users who jailbreak.

C. Unclear whether it is legal to traffic in the tools used to make jailbreaking easy

D. illegally share paid App Store applications caused some strife within the jailbreaking community

22

Some Points of Jailbreaking

A deeper and wider desire• "rejected application" (Apple likes to claim that

they didn't reject these applications, they simply "didn't accept" them...). Camera recording, multi-task…

• Jailbreaking isn't just about applications that Apple "rejected", but is also about taking provided tools and going in a new direction. The most popular packages available in Cydia aren't even "applications", but are "extensions": seamless and pervasive modifications to existing software.

23

Thank you! ; )

24