Montag, 30. Dezember 2013

iOS 7 untetherd Jailbreak for iPhone 4: "simple7break" 1.0

Hi everyone :D
After evasi0n7 was released with a huge drama i decided to update my JB tool to include the updated Cydia and the evasi0n7 untether, give it a name (simple7break) and make it userfriendly.

Ok let's get to it :D

What do you need:
- Mac (sorry this is Mac only, since it's a fun project without a real use/need)
- Java installed (that should be the case by default on Mac's)
- iPhone 4 model iPhone3,1 or iPhone3,2 (sorry that doesn't work with iPhone3,3 again it's a fun project)
- 5 min of time

So first you need to download simple7break
make sure you only download it only from trusted sources, like links in my twitter acc ;)

There we go! Now you should have a file called "" which you need to extract.
Now you can chose either open a Terminal, cd into that directory and execute "./install"
or you simply doubleclick the install file in finder and chose "Open with terminal" if it asks you.
Now connect your iPhone 4 and put it in DFU mode. You know that mode, when you have to press Power + Home for 10 sec and then release Powerbutton, but keep still pressing Home for 15 sec.
You should now see that the ssh ramdisk tool starts doing stuff.
After it finishes doing it's magic, your device reboots and you should see the evasi0n7 boot screen, saying patching kernel and stuff. When your device boots up just unlock it and wait a bit.
After some seconds a popup shows up saying something like "no more space left on device", you can safely ignore this and tap ok if you want and be happy, because it works :D
Just continue waiting and eventually your device reboots again. Now you should see the evasi0n7 screen again (i really like that screen, that's why i show it to you twice :P).
After the device boots up the second time you should finally have Cydia on your SpringBoard yeay :)
Basically you're jailbroken now and good to go, but i really recommend reading further and doing this last step too. Open Cydia and let it configure the filesystem (you know, this thing which always happens when you open up Cydia for the first time). Then open Cydia again, go to the changes tab and hit update in the left to corner. That reloads the Packages and you should see at least 6 new updates (i think that were 6) including ncurses and evasi0n untether. Now it's very important that you DO INSTALL THE UPDATES. That will finally make everythink clean and solid.
This is needed because i modded the install script from the ncurses package to remove the preinst script (which caused errors for reasons i don't know) and with the update you do in cydia this get's fixed. In theory this is not that much important, but you know it's a "beauty fix" :P
Same for the evasi0n7 untether, which updates to give you the latest kernel patches by evad3rs.
(basically it reinstalls the same package with no modifications at the time of writing (version 0.2) but again, that's my "beauty fix" :P)
Well after you done the updates you're good to go :D
Have fun with this drama free iOS7 untethered Jailbreak.
If you have any questions or issues, feel free to contact me on twitter @tihmstar or on freenode irc in #openjailbreak channel (if you contact me on irc give me some time to respond and don't leave -_-)

Hope you enjoy,
tihmstar :D

Samstag, 9. November 2013

what is fuzzing

 <tihmstar> well basicall fuzzing is inputting maltious requests to a ?"process"? ?"parser"?
10:02 <tihmstar> the fuzzing we do is modifying a mov file
10:02 <tihmstar> then we try to open the mov file in mobileSafari hoping it will crash
10:02 <JBUni> because of the JIT compiler, right?
10:03 <tihmstar> by "fuzzing a file" we (at least i) mean modifying a file, basically randomly changing some bits
10:03 <tihmstar> *bytes
10:04 <JBUni> right, i get this
10:04 <tihmstar> we have a tool called zzuf which modifys the file for you, but since obvously there is a very low change to make MSafari crash by modifying some bytes we need to do it again and again
10:04 <tihmstar> therefore smart people around here (me included :P ) createt scripts/tools to automate this process
10:05 <tihmstar> all tools are a bit different
10:05 <JBUni>  i have a question about that, actually
10:05 <tihmstar> ok just ask
10:06 <JBUni> is it possible to insert syscalls in the form of hex, and have the kernel read those and redirect to a different part of memory, etc?
10:06 <JBUni> instead of just random bytes
10:06 <tihmstar> to the mov parser?
10:06 <JBUni> yeah
10:06 <tihmstar> well that's more of a exploit
10:07 <tihmstar> first you need to know if there is a bug and how to trigger it
10:07 <JBUni> ah, and to do that, we need to find out where the parser breaks, right?
10:07 <JBUni> okay
10:07 <JBUni> gotcha
10:07 <tihmstar> then you can start looking at the bug hoping you can let it do something more like just crasjing the process, like inserting malcious code
10:07   sock__ (was sock__-) joined   sock__ quit  
10:08 <JBUni> hmmm
10:08 <tihmstar> looking at fuzzycactus for example: you give it a mov file and it automatically does following things in a loop (until the device crashes): creates a fuzzed file with zzuf, opens that file in mobilesafari, waits some time, kills safari and the loop starts from beginning obviuosly the new fuzzed file is different than the one before
10:09 <JBUni> but with a program that runs randomly like this, you're unable to keep proper track of which bugs happened
10:09 <JBUni> isn't it better to manually fuzz files?
10:09 <tihmstar> no ...
10:10 <JBUni> hmm... ok..
10:10 <tihmstar> fuzzycactus also looks for crashes and copies them into a dir
10:10 <JBUni> so we are only interested in crash logs?
10:10 <tihmstar> no ...
10:10  JBUni facepalms
10:10 <JBUni> ok, i'll be quite, please go on
10:11 <JBUni> quiet*\
10:11 <tihmstar> it also pairs the crash to the mov file caused the crash and to the parameters were sent to zzuf to be able to recreate the file (which you actually don't need since it also copies you the fuzzed file to the dir)
10:11 <tihmstar> if you have a really good crash we are interested in your fuzzed mov file AND your original file
10:12 <tihmstar> in this case send both files and the crashlog to crakun (i think his mail was but im not quite sure)
10:12 <JBUni> yeah, i know his email
10:12 <tihmstar> any questions?

Donnerstag, 31. Oktober 2013

apt-paid command line tool for iPhone

Once again, my awesomeness created something cool.
Just kidding, but seriously, i wanted to leard Obj-c a long time ago and now i actually started doing so.
Since i have an iPhone 4 jailbroken on iOS 7 i want to somehow install tweaks.
Maybe you guys know that i managed to install Cydia, but the problem ist that Cydia is almost completely broken. So beside of the UI also the "install paid package" thing is broken. That means obviously i can not buy packages (because of incompatibility with iOS 7) and i also can't install packages i already bought. Of course i linked my device to my Cydia acc and that's actually enough to install all packages i buy. Linking a device to Cydia means actually linking the device's uuid with your acc.

And that was the first thing i realised after having Cydia installed, the uuid is not correct.
Cyida tells me my uuid would be something like FFFFFFFF************* , obviously my uuid does not start with lots of "F" so the problem was found real quick.
Ok i don't need Cydia to install packages, i can use apt-get, the problem is i can't install paid packages with apt-get either. But apt is actually quite usefull, so i thought why not create something to install paid packages via terminal?
So did i.
The first thing was to find out, how Cydia tells the server that the package is bought, so i MiTM my jailbroken iPhone 4s. I found out, that the Header is the important thing, Cydia send the uuid, model (iPhone4,1), iOS, custom useragent to saurik's server. If everything is vaild you get a 302 moved temporarily response redirecting you to a different server with the GET parameter "key" i don't know what that does exactly, as the only important thing is to send the uuid to saurk's server.
So i created a little Python script to test that.

Now knowing how everything works the next step was to create an iPhone command line tool.
As i already had iOSOpenDev installed i just made a new command line tool for iOS.
I decided to create a Foundation tool (Obj-c) and not a C tool, simply because i wanted to practise and learn the language.
After a very long evening i managed to get everything working, using "apt-get -q -y --print-uris install [pkgname]" to get the link for the package and "deviceinfo -u" to get the uuid and finally dpkg to install the package.
 For those who might still have the question, yes you need to purchase the tweak first to be able to install it using apt-paid, but if your device is linked to your acc you can purchase the tweak on antoher device too.

Finally having this tool is great, but that actually still didn't solve my problem with my uuid as "deviceinfo -u" also displays the wrong uuid starting with "FFFFFFFF". That's why i decided to build in one little hidden feauture: if you create the file "/var/mobile/Library/Caches/alteruuid" apt-paid will try to get your uuid from reading that file, so finally i connected my iPhone to iTunes, read my uuid and copied it to the alteruuid file.

I know what it means to be able to spoof the uuid with this trick, but i also know that tweaks are pirated anyway and this won't change anything, in fact if you have your friends uuid you can download his tweaks, but if it's your friend you can also simply ask him to link your device to his Cydia acc, as there is no limit for linked devices, so i don't thing apt-paid will change anything here.

apt-paid is made to be able to install paid packages (and free packages too) via terminal or ssh, but it's not limited to that. Propably i will use this tool in a future project, as i want to create remote installation of tweaks, like google play does it.

For everyone who sees benefits from apt-paid and want's to use it, feel free to do so ;)
it's available on my cydia repo ""
if you want to install it via terminal (like i love to do) the package is called org.tihmstar.apt-paid

Have fun and report bugs on twitter or irc ;D

Dienstag, 22. Oktober 2013

My Jailbreaktool for iOS 7

OK guys, i finally fixed the tool created by @stnvh and me for the time and it's finally working now (i hope).
Here's a quick tutorial on using it:

EDIT: I tested 7.0.3 and it works great (booting 7.0.2 kernel though).

First of all the prerequirements:
- you need to be on Mac OS
- Xcode & Command line tools installed
- internet connection on Mac and on iPhone

Note, that this tutorial on works with an
iPhone 4 running iOS 7, 7.0.2 and 7.0.3 and the only thing it does is installing openssh and apt-get. There will be NO CYDIA as it's not fixed officially by saurik yet.

Ok here we go :D
Download this tool: <- (edit) second link for people bugging me not to use a hoster requiering flash -.-

Unzip it and open a Terminal. Now cd into it and execute "./install"
Now simply connect your iPhone in DFU mode and let the tool do it's magic :D
If you get "No space left on device" then something went wrong :(
I suggest you to try it again,
If you see "No such file or directory" that means every thing went fine and your iPhone should have rebooted into recovery mode.

Now you need to install opensn0w with the fix for Mac OS.
"cd ./opensn0w_osx" and when you're in simply run "./build_opensn0w".
That will clone opensn0w from winocm's git, add the Macfix and install it.

After you installed opensn0w it's time to boot your device tethered.
Simply execute in a terminal "/usr/local/opensn0w/bin/opensn0w_cli -p  /usr/local/opensn0w/bundles/iPhone3,1_7.0.2_11A465.plist" if you're having an iPhone3,1 and iOS 7.0.2 if not, you need to adjust the parameter to match your iPhone model.

After your device booted up, you should unlock your device as soon as possible and make sure it's connected to wifi. Then just give it 2-4 minutes to set up dpkg and apt for you. If everything worked the way i want it to, your device should respring now. If that happened, that means everything went fine and you're happy now to have a jailbroken device with ssh and apt. :D
Now you can connect to it's ip and the login root:alpine

If your device did not respring after several minutes of waiting, that means something went wrong :(
But if you done the step before correctly you should be able to ssh into your device anyway.
If you can't ssh into the device you should gone back to the step with "./install" and redo the jailbreak.
make sure it doesn't show you "No space left on the device" because that meant there are problems with mounting the fs.

If your device did not respring, but you can ssh into it, that doesn't mean the jailbreak failed totally.
That just means that you might have some errors with apt-get. If so, sorry i can't help you with that :(
Either you try to rejailbreak again (simply rerun the tool) or go and fix apt and dpkg manually.
The debs you nees might be in /var/mobile/debs if the script did not finished correctly for some reason. But again you should give the phone a bit time before you mess up with that, it might be fine, but simply not finished ;)

So guys, happy jailbreaking ;)
Let me know if you have problems, if it's tool related i will publish a fix ;P

Sonntag, 20. Oktober 2013

Welcome to my Blog,
here i want to post thing which interest me.
That would be iOS and iOS hacking at the moment.
Have fun reading it ;)