We got some fantastic gifts of jailbreaks about the holiday so naturally I get very excited and dove right in so I can start getting back into research for iOS 10.3+ and iOS 11. The first step in this research is getting physical access to the device and capturing data. For some background please refer to my previous article on this: iOS Imaging on the Cheap!
This article will include the jailbreaks for iOS 10.3.3 using Meridian and iOS 11 using LiberiOS. My go to for all jailbreaks is The iPhone Wiki. Always, always, always make sure you go to the legitimate jailbreak host to ensure non-compromised jailbreak software. These two jailbreaks are semi-tethered jailbreaks meaning they return the devices to non-jailbreak status when the devices are rebooted. Begge disse jailbreaks er apps som kører på telefonen, så du vil være nødt til at downloade en IPA-fil og installere dem via Cydia Impactor.
- Download IPA
- Plug in the device
- Drag & Drop on Cydia Impactor
- Input Apple ID email
- Install will do its thing, depending on your developer status, you may need to trust the app developer in Settings.
Let's start with an iPad Mini on iOS 1
If all goes well.
If all goes not as well as hoped.
Next step is to SSH into the device. This was also a bit frustrating – part of it because I did not read the FAQ and part because the SSH software installed on the device is not very stable.
First off the SSH port used on 2222, not the normal 22 iproxy 2222 4242 (or some other port number) instead of 'iproxy 22 2222'.
Second is the SSH software used, dropbear. I had serious issues attempting to SSH into this device. Sometimes it worked, sometimes it refused the connection. Just keep trying is my solution – it will eventually work.
Finally, once you are sure to change the passwords for the 'root' and 'mobile' accounts by using the command 'passwd root' and 'passwd mobile' (see the screen shot below in the next section).
To image the device you can use a modified version of the command that I used in my previous blog article
ssh -p 4242 firstname.lastname@example.org '/ meridian / bins / tar -cf - /'> ios_physical_logical_dump.tar
This jailbreak (as well as LiberiOS) are installing their own set of binaries which include some normal Unix utilities not installed on iOS. The tar command is in a different directory than what is normally used therefore it may not work to just use 'tar', instead point it to the one Meridian put on the device.
Another item you may have noticed that has changed with Det kommandoen ovenfor er at jeg gjør en fysisk logisk overtagelse av hele anlegget ved bruk av hovedkatalogen eller '/'. Tidligere ville jeg fange systemet partition som en fuld dd image ved hjælp af / dev / disk0s1s1, men noget med disse nyere operativsystemer begrænser min adgang til det. Best guess at this point is that it's an APFS thing ¯ _ (ツ) _ / ¯. Shown below does a simple 'xxd' to view the partition is not allowed as root, this also goes for 'dd' and other utilities.
While this makes me a bit sad, I can still grab a logical copy of the files On the system and data partitions in one shot by using the command above. I've had some issues with the take command exiting and eventually just had to assume. I had all the files just on the size of the bundle so keep an eye on it.
Next up is an iPhone on iOS 11.1.2 using Liberio. Installation was just like Meridian – quick, easy, and flawfless.
During Jailbreak (the color of the 'Jailbreak' changes slightly)
If all goes well.
This jailbreak was less quirky. As with the other jailbreak you should change the password for the 'root' and 'mobile' account immediately. This jailbreak provides the following instructions when first SSH'ed into. I highly recommend running the export command shown below.
I was able to run the same command to procure a 'physical logical' acquisition of the device with a slight change because of where LiberiOS puts the tar utility. Één gang kan du få et par fejl på grund af at filerne bliver ignorert eller ikke tillatt å være fanget ved 'tar'. This is normal.
ssh -p 4242 email@example.com '/ jb / usr / bin / tar -cf - /'> ios_physical_logical_dump.tar
Enjoy the new jailbreaks and your forensic research and acquisitions may be fruitful ! I would also like to give a big THANK YOU to everyone who worked and contributed to these jailbreaks – they really do help with forensic research!