ED 420: Jailbreaking an iPhone (15 extra)

What You Need

Purpose

To get root on an iPhone so we can install Unix utilities, compile code, and work with Arm64 exploits.

Using AltStore and Unc0ver

The instructions below are for the Checkra1n jailbreak.

Another option is given in the video below:

Preparing your iPhone

I strongly recommend using a "burner" phone with no personal data on it. Jailbreaking a phone voids your warranty and the changes we make may not be easily reversible.

I bought my phones from https://swappa.com, paying about $60 for a 5S or 6.

If your phone has important data on it, at least back it up first with iCloud or some other method.

Installing CheckRain

On your Mac, in a Web browser, go to

https://checkra.in

Download, install, and launch the latest version of Checkra1n, as shown below.

Checking iOS Version

Connect your iPhone to your Mac with the USB cable.

Checkra1n detects your phone, as shown below.

If it fails, try the old version 0.9.7-beta.

If Checkra1n says your phone has too old an OS, as shown below, do the steps in the blue box below. If not, proceed to the next section.

Restoring and Updating your iPhone

Reboot your phone into recovery mode and restore it using Finder.

To do this on the iPhone 5S, hold down the Home button and the top button together and hold until the phone reboots.

Keep holding both buttons down while the Apple logo displays, until you see the screen below.

Connect the phone to your Mac using an iPhone cable. On the Mac, open Finder. On the left side, click iPhone.

Agree to any prompts that appear so the devices trust one another.

Finder shows a message, as shown below.

Follow the messages to restore the iPhone to its default settings and update to iOS 12. On my phone, the steps were:

  • Check
  • Restore
  • Check
  • Restore and Update
  • Next
  • Agree
It will show this message: "...downloading the software for this iPhone..." for a while. Be patient.

You can see the download progress in Activity Monitor on the Network tab--it needs to download more than 1 GB of data.

When I did it, it downloaded 1.5 GB of data, restarted the iPhone, and continued downloading more data, up to 8.45 GB.

After that the iPhone could not be activated and iTunes no longer recognized it, so I entered recovery mode again and clicked Update in iTunes.

iTunes showed "Updating iPhone Software..." and the iPhone showed an Apple logo with a slow progress bar.

The iPhone restarted again and another progress bar moved across, more quickly.

iTunes now offered to "Set up as new iPhone". I did that.

I saw this screen for about 5 minutes before my phone rebooted.

Then the iPhone screen went black, so I hit the Home button and tried to start it but it would not activate.

So I unplugged it and plugged it in again. Finder then spent a few minutes waiting and showed an "Activating" message, as shown below.

Then it showed this message:

'The iPhone "iPhone" cannot be synced. The operation timed out.'

Jailbreaking your iPhone

Connect your iPhone to your Mac with the USB cable.

Checkra1n detects your phone, as shown below.

Check the "Verbose Boot" box and click Start.

The next screen explains DFU mode. Read it and click Next.

The phone shows a picture of a cable.

Now you need to press some buttons, guided by the Checkra1n screens. The first screen is shown below.

Follow the instructions, pressing buttons. When you get it right, the phone will reboot, with a lot of text scrolling by.

Checkra1n tells you it's done, as shown below.

Click the Done button.

Close Checkra1n.

Installing Cydia

Swipe up from the bottom of the screen to wake your iPhone.

Your home screen shows a "Trust This Computer?" box, as shown below.

Click Trust.

Your iPhone now has a checkra1n icon, as shown below.

Tap the checkra1n icon.

If your iPhone is offline, connect to a Wi-Fi network and relaunch checkra1n.

If the date on your phone is wrong, you may have to correct it in Settings.

In the "Loader" screen, click Cydia, as shown below.

Click "Install Cydia".

Cydia now appears on your iPhone, as shown below.

Upgrading Cydia

On your iPhone, launch Cydia.

At the bottom, click Changes, as shown below.

Install the essential upgrades.

Click "Restart SpringBoard".

Get Homebrew

On your Mac, open a Terminal and execute this command:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Connect to the iPhone With USB

Plug in a cable connecting your iPhone to the Mac.

On the Mac, in a Terminal window, execute these commands to install "libmobiledevice" and start a proxy listening on port 2222, which connects to port 44 via the USB cable.

This works because the Checkra.in jailbreak adds a service listening on port 44 for this purpose.

brew install libimobiledevice
iproxy 2222 44
Leave this window open, as shown below.

In a new Terminal window, execute this command:

ssh -p 2222 root@localhost
Agree to connect by typing yes and enter the password, which should be either alpine or notalpine for the devices provided by your instructor.

You should see a root command prompt, as shown below.

Troubleshooting

If you see a message saying

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
that probably means that a previous iPhone has been connected to this Mac. To proceed, execute this command:

nano ~/.ssh/known_hosts
Go to the bottom of the file and delete the line beginning with:

[localhost]:2222

Installing OpenSSH (Optional)

This allows you to connect over Wi-Fi, which is riskier than using a USB cable, but may be more convenient.

Launch Cydia again.

In the lower portion of your screen, click "OpenSSH Access How-To".

In the next screen, in step 1, click the blue OpenSSH link, as shown below.

On the next screen, at the top right, click OPEN, as shown below.

On the next screen, at the top right, click Install.

Click Confirm.

Click "Return to Cydia".

Finding your iPhone's IP Address

On your iPhone, open Settings.

Click Wi-Fi. On the line showing your Wi-Fi network's name and a check mark, click the blue circled i, as shown below.

Your IP address appears, as shown below.

Connecting with SSH

On your Mac, open a Terminal and execute this command, replacing the IP address with the IP address of your iPhone.

ssh root@172.20.10.3
It asks "Are you sure you want to continue connecting (yes/no)? ". Answer:

yes
Enter this password:

alpine

Changing the Root Password

Execute these commands to change the password. If you are using one of our in-class iPhones, please use the exact password shown below. Otherwise, choose any strong password you like.

passwd
notalpine
notalpine

Flag ED 420.1: uname (15 pts)

In your SSH session, execute this command.

uname
The flag is covered by a green rectangle in the image below.

Useful Utilities

I like to install these utilities on the iPhone to allow command-line work:

apt install network-cmds
apt install curl nano 

References

Homebrew The missing package manager for macOS (or Linux)
SSH Over USB

Posted 12-10-19
Updated for SSH over USB 12-15-19
Updated to use older checkra1n version 2-11-2020
Checkrain url fixed 2-12-2020
Updated 1-2-21
Swappa link added 2-20-21
Many obsolete references to iTunes launching removed 3-7-21
Video about AltStore added 2-24-2021