Hi HN, author here! For the past three months, I've been obsessively working on gala, a jailbreak for iOS 4 that currently targets the iPhone 4. While other jailbreaks for this device, and this iOS version, already exist, the 'special sauce' of this jailbreak is that it comes with a 6-part series describing the building of a jailbreak and the many challenges that arose when jailbreaking iOS. The series includes interactive visualizations at every step of exploiting the device - from pulling memory dumps of the boot ROM to debugging a flashed filesystem image.<p>That said, this isn't just a bare-bones jailbreak with some writing attached: gala is a fully-fledged suite that includes a significant Python application, a Cocoa GUI for end-users, a Rust payload, Cocoa Touch games to play within the boot environment while the jailbreak completes, and C utilities that run on-device.<p>This was a lot of fun, and the journey included lots of milestones: when an iOS device boots, it does so in discrete stages (boot ROM, then boot loader, then kernel, etc.). This meant that my experience of developing this jailbreak also included these milestones, as over time I successfully compromised and ran each of these stages!<p>Building this was personally exciting because I used to regularly make and sell tweaks for jailbroken phones on Cydia. The jailbreaks themselves always seemed like inscrutable black magic, until now!<p>I'm really gratified to have finished up this project, and am excited to put it out into the world. Please feel welcome to have a look at the code, the writeup, or give it a spin on an old iPhone 4 that you have lying around. I hope you enjoy!
I finally created a hackernews account after lurking for years just to write this. Thanks for taking the time to capture what (for many) was a mystical black box for years. I have distinct memories of being super nervous whilst jailbreaking my iPod 4G on iOS 4, wondering what all the scrolling terminal messages meant. Then, doing it for my mates over school lunch, worrying that I might unintentionally screw up their phone and be responsible for a few hundred dollars worth of 'bricked' technology lol.<p>In a way, all those years later, that 'magic' of breaking through Apple's walls and running custom code is what enticed me to get into programming. I have immense gratitude to all involved.
Thanks for writing this. It takes a deep understanding to explain such complicated concepts in an accessible way. Reading it brought back fond memories of hacking on jailbreak projects deep into the night.
That was indeed enjoyable to read! Especially as someone who is still terrible at reverse engineering native code.<p>Now, this is a tethered jailbreak since it uses the system recovery mechanism to breach the chain of trust and ultimately boot a modified version iOS. I have to wonder how untethered jailbreaks work. Am I right that they don't go through the secure boot chain at all, leaving it intact, instead exploiting one of the privileged processes in a running system (or a non-privileged one, and then doing a separate privilege escalation exploit)? How do they gain persistence then? How do they patch the signature checks out of the kernel without tripping any signature checks in the bootloader and the kernel itself?
Thanks for building this. I have an iPhone 4s with a lot of special pictures. Somehow I forgot my PIN and have to wait for years.
If not because of the pictures I’ll just reset it.
Can I use this to reset the PIN and copy may pictures?
This was a great write up! But the gut-wrenching moment was seeing the old iOS interface in all its skeuomorphic glory. Jesus, how much I hate John Ive!
Really enjoyed reading through the first few parts! Cool to follow along from this kind of perspective. I too read through tons of source code to figure out how other people implement things like exploits, fun to see someone else does the same :)
Haven't read this yet, but looking forward to it. Just wanted to say that I used every one of the tweaks listed at the beginning and wanted to thank you for making them. Early iOS jailbreaking was so much fun.
Super nice, I tried to run it but my old device didn't boot to begin with, unfortunately.<p>I also made tweaks back then, and I also found jailbreaks to be black magic. Reading this, I still kind of think so :)
Thanks so much for writing this up! I am super interested in learning about this kind of content (in particular I'd love to learn to "free" cheap wifi security cameras with my own custom firmware, dafang-hacks style, or how to create a new exploit to root kindle fire tablets, stuff like that), but it is surprisingly hard to find detailed writeups of the process.
Thanks for this, beyond anything I'll likely ever do myself but a fun read :)<p>FYI the link to part 3 at the bottom of part 2 [1] seems to be unreachable via mouse. On desktop the element img.terminal_in_demo_with_window is overlapping and blocking the link for me<p>[1] <a href="https://axleos.com/exploiting-the-iphone-4-part-2-bypassing-the-boot-chain/" rel="nofollow noreferrer">https://axleos.com/exploiting-the-iphone-4-part-2-bypassing-...</a>
Magnificent post! I read it in one go, being captivated by revealing the closed gardens that are iOS. Only recently got into jailbreaking, so this is perfectly timed. Thank you so much for IMHO the best HN post of 2023.<p>Errata:
Part 5 has trailing ```<p>$ /usr/sbin/asr -source /mnt2/rootfs.dmg -target /dev/disk0s1 -erase```
This is very cool, and it’s a fun read so far.<p>I have a tangential, low-value question that I figured I might as well ask since the author is here. I have an old iPhone 4s whose passcode I have forgotten. I’d like to get some of the photos and data off. As far as I can tell, this exploit doesn’t require “legit” access to the device. Would this process be useful for retrieving data that’s already on the device?
As others have already said, thanks for putting this together and making these topics easy to grasp all these years later. It's nice seeing some familiar irc.saurik.com handles in this thread, too :)
Nice! I might bust out my 4 and use it in public for laughs.<p>People are already agog when I pull out my original SE, the only phone I use (and widely considered the best iPhone Apple made).<p>Kinda sad, really, what people put up with now.
Hi Phillip. Lovely article and blog in general! Is there an RSS URL I can't find? Would like to subscribe, but I find email newsletters irritating.
For fun things you can do with a good working jailbreak, check out this integrity validator that checks if your phone is free of malware by exploiting it:
<a href="https://github.com/trailofbits/ios-integrity-validator">https://github.com/trailofbits/ios-integrity-validator</a>
Super interesting read, definitely nostalgic. Are you planning to further expand gala's functionality to use a different exploit to gain persistence in the exploit chain for an untethered jailbreak?
Nice. 178pages printed to PDF in case the website dissappears.<p>Have you done anything with this on Qemu?
<a href="https://github.com/danzatt/QEMU-s5l89xx-port/blob/master/hw/s5l8930.c">https://github.com/danzatt/QEMU-s5l89xx-port/blob/master/hw/...</a><p>> This made the real issue clear: iOS 4 ships with an outdated set of root SSL certificates,<p>Alot of old software installations are in this situation, you cant install SBS2000 or SBS2003 Premium without turning back the clock on the server to 2001 and 2004 respectively.<p>For any closed source, I've found Ghidra[1] to be quite easy to use and understandable.<p>[1] <a href="https://ghidra-sre.org/" rel="nofollow noreferrer">https://ghidra-sre.org/</a>