Exploiting the iPhone 4

556 点作者 codyd51超过 1 年前

Hi HN, author here! For the past three months, I've been obsessively working on gala, a jailbreak for iOS 4 that currently targets the iPhone 4. While other jailbreaks for this device, and this iOS version, already exist, the 'special sauce' of this jailbreak is that it comes with a 6-part series describing the building of a jailbreak and the many challenges that arose when jailbreaking iOS. The series includes interactive visualizations at every step of exploiting the device - from pulling memory dumps of the boot ROM to debugging a flashed filesystem image.That said, this isn't just a bare-bones jailbreak with some writing attached: gala is a fully-fledged suite that includes a significant Python application, a Cocoa GUI for end-users, a Rust payload, Cocoa Touch games to play within the boot environment while the jailbreak completes, and C utilities that run on-device.This was a lot of fun, and the journey included lots of milestones: when an iOS device boots, it does so in discrete stages (boot ROM, then boot loader, then kernel, etc.). This meant that my experience of developing this jailbreak also included these milestones, as over time I successfully compromised and ran each of these stages!Building this was personally exciting because I used to regularly make and sell tweaks for jailbroken phones on Cydia. The jailbreaks themselves always seemed like inscrutable black magic, until now!I'm really gratified to have finished up this project, and am excited to put it out into the world. Please feel welcome to have a look at the code, the writeup, or give it a spin on an old iPhone 4 that you have lying around. I hope you enjoy!

27 条评论

hamish-b超过 1 年前

I finally created a hackernews account after lurking for years just to write this. Thanks for taking the time to capture what (for many) was a mystical black box for years. I have distinct memories of being super nervous whilst jailbreaking my iPod 4G on iOS 4, wondering what all the scrolling terminal messages meant. Then, doing it for my mates over school lunch, worrying that I might unintentionally screw up their phone and be responsible for a few hundred dollars worth of 'bricked' technology lol.In a way, all those years later, that 'magic' of breaking through Apple's walls and running custom code is what enticed me to get into programming. I have immense gratitude to all involved.

评论 #37746040 未加载

评论 #37746703 未加载

评论 #37748692 未加载

评论 #37808544 未加载

评论 #37747028 未加载

ryanpetrich超过 1 年前

Thanks for writing this. It takes a deep understanding to explain such complicated concepts in an accessible way. Reading it brought back fond memories of hacking on jailbreak projects deep into the night.

评论 #37758077 未加载

grishka超过 1 年前

That was indeed enjoyable to read! Especially as someone who is still terrible at reverse engineering native code.Now, this is a tethered jailbreak since it uses the system recovery mechanism to breach the chain of trust and ultimately boot a modified version iOS. I have to wonder how untethered jailbreaks work. Am I right that they don't go through the secure boot chain at all, leaving it intact, instead exploiting one of the privileged processes in a running system (or a non-privileged one, and then doing a separate privilege escalation exploit)? How do they gain persistence then? How do they patch the signature checks out of the kernel without tripping any signature checks in the bootloader and the kernel itself?

评论 #37749172 未加载

DHowett超过 1 年前

This is an outstanding write-up! I’m glad to see you’re still active in the community :)

评论 #37743697 未加载

zakki超过 1 年前

Thanks for building this. I have an iPhone 4s with a lot of special pictures. Somehow I forgot my PIN and have to wait for years. If not because of the pictures I’ll just reset it. Can I use this to reset the PIN and copy may pictures?

评论 #37749860 未加载

评论 #37749189 未加载

elzbardico超过 1 年前

This was a great write up! But the gut-wrenching moment was seeing the old iOS interface in all its skeuomorphic glory. Jesus, how much I hate John Ive!

评论 #37746561 未加载

评论 #37748711 未加载

malwrar超过 1 年前

Really enjoyed reading through the first few parts! Cool to follow along from this kind of perspective. I too read through tons of source code to figure out how other people implement things like exploits, fun to see someone else does the same :)

ioslife超过 1 年前

Haven't read this yet, but looking forward to it. Just wanted to say that I used every one of the tweaks listed at the beginning and wanted to thank you for making them. Early iOS jailbreaking was so much fun.

wingerlang超过 1 年前

Super nice, I tried to run it but my old device didn't boot to begin with, unfortunately.I also made tweaks back then, and I also found jailbreaks to be black magic. Reading this, I still kind of think so :)

n8henrie超过 1 年前

Thanks so much for writing this up! I am super interested in learning about this kind of content (in particular I'd love to learn to "free" cheap wifi security cameras with my own custom firmware, dafang-hacks style, or how to create a new exploit to root kindle fire tablets, stuff like that), but it is surprisingly hard to find detailed writeups of the process.

4lun超过 1 年前

Thanks for this, beyond anything I'll likely ever do myself but a fun read :)FYI the link to part 3 at the bottom of part 2 [1] seems to be unreachable via mouse. On desktop the element img.terminal_in_demo_with_window is overlapping and blocking the link for me[1] <a href="https://axleos.com/exploiting-the-iphone-4-part-2-bypassing-the-boot-chain/" rel="nofollow noreferrer">https://axleos.com/exploiting-the-iphone-4-part-2-bypassing-...</a>

评论 #37758107 未加载

shoaloak超过 1 年前

Magnificent post! I read it in one go, being captivated by revealing the closed gardens that are iOS. Only recently got into jailbreaking, so this is perfectly timed. Thank you so much for IMHO the best HN post of 2023.Errata: Part 5 has trailing ```$ /usr/sbin/asr -source /mnt2/rootfs.dmg -target /dev/disk0s1 -erase```

评论 #37755527 未加载

el_benhameen超过 1 年前

This is very cool, and it’s a fun read so far.I have a tangential, low-value question that I figured I might as well ask since the author is here. I have an old iPhone 4s whose passcode I have forgotten. I’d like to get some of the photos and data off. As far as I can tell, this exploit doesn’t require “legit” access to the device. Would this process be useful for retrieving data that’s already on the device?

评论 #37743630 未加载

评论 #37743038 未加载

dguido超过 1 年前

Good work, this is super cool!

评论 #37743703 未加载

BHSPitMonkey超过 1 年前

As others have already said, thanks for putting this together and making these topics easy to grasp all these years later. It's nice seeing some familiar irc.saurik.com handles in this thread, too :)

ShadowBanThis01超过 1 年前

Nice! I might bust out my 4 and use it in public for laughs.People are already agog when I pull out my original SE, the only phone I use (and widely considered the best iPhone Apple made).Kinda sad, really, what people put up with now.

Thaxll超过 1 年前

I really like the blog layout.

averageRoyalty超过 1 年前

Hi Phillip. Lovely article and blog in general! Is there an RSS URL I can't find? Would like to subscribe, but I find email newsletters irritating.

behnamoh超过 1 年前

Does this also work on 4s?

评论 #37743758 未加载

评论 #37743747 未加载

评论 #37743126 未加载

dguido超过 1 年前

For fun things you can do with a good working jailbreak, check out this integrity validator that checks if your phone is free of malware by exploiting it: <a href="https://github.com/trailofbits/ios-integrity-validator">https://github.com/trailofbits/ios-integrity-validator</a>

评论 #37744826 未加载

评论 #37742543 未加载

xnyanta超过 1 年前

Super interesting read, definitely nostalgic. Are you planning to further expand gala's functionality to use a different exploit to gain persistence in the exploit chain for an untethered jailbreak?

brokenmachine超过 1 年前

Really enjoying the writeup, thanks so much.

fabiensanglard超过 1 年前

Do you know if there is similar literature about sim unlocking of old iPhones?

评论 #37744991 未加载

评论 #37745598 未加载

thx超过 1 年前

ok linux n00bie here (w an iPhone 4)can i jailbreak it w/out knowing how to program (like how difficult ,|,

评论 #37750173 未加载

calini超过 1 年前

This looks like great work, and I am really hoping work on this continues!

3abiton超过 1 年前

This is awesome, is there something similar tor Android?

评论 #37748682 未加载

darkclouds超过 1 年前

Nice. 178pages printed to PDF in case the website dissappears.Have you done anything with this on Qemu? <a href="https://github.com/danzatt/QEMU-s5l89xx-port/blob/master/hw/s5l8930.c">https://github.com/danzatt/QEMU-s5l89xx-port/blob/master/hw/...</a>> This made the real issue clear: iOS 4 ships with an outdated set of root SSL certificates,Alot of old software installations are in this situation, you cant install SBS2000 or SBS2003 Premium without turning back the clock on the server to 2001 and 2004 respectively.For any closed source, I've found Ghidra[1] to be quite easy to use and understandable.[1] <a href="https://ghidra-sre.org/" rel="nofollow noreferrer">https://ghidra-sre.org/</a>

评论 #37746685 未加载

27 条评论

hamish-b超过 1 年前

评论 #37746040 未加载

评论 #37746703 未加载

评论 #37748692 未加载

评论 #37808544 未加载

评论 #37747028 未加载

ryanpetrich超过 1 年前

评论 #37758077 未加载

grishka超过 1 年前

评论 #37749172 未加载

DHowett超过 1 年前

This is an outstanding write-up! I’m glad to see you’re still active in the community :)

评论 #37743697 未加载

zakki超过 1 年前

评论 #37749860 未加载

评论 #37749189 未加载

elzbardico超过 1 年前

This was a great write up! But the gut-wrenching moment was seeing the old iOS interface in all its skeuomorphic glory. Jesus, how much I hate John Ive!

评论 #37746561 未加载

评论 #37748711 未加载

malwrar超过 1 年前

ioslife超过 1 年前

wingerlang超过 1 年前

n8henrie超过 1 年前

4lun超过 1 年前

评论 #37758107 未加载

shoaloak超过 1 年前

评论 #37755527 未加载

el_benhameen超过 1 年前

评论 #37743630 未加载

评论 #37743038 未加载

dguido超过 1 年前

Good work, this is super cool!

评论 #37743703 未加载

BHSPitMonkey超过 1 年前

As others have already said, thanks for putting this together and making these topics easy to grasp all these years later. It's nice seeing some familiar irc.saurik.com handles in this thread, too :)

ShadowBanThis01超过 1 年前

Thaxll超过 1 年前

I really like the blog layout.

averageRoyalty超过 1 年前

Hi Phillip. Lovely article and blog in general! Is there an RSS URL I can't find? Would like to subscribe, but I find email newsletters irritating.

behnamoh超过 1 年前

Does this also work on 4s?

评论 #37743758 未加载

评论 #37743747 未加载

评论 #37743126 未加载

dguido超过 1 年前

评论 #37744826 未加载

评论 #37742543 未加载

xnyanta超过 1 年前

Super interesting read, definitely nostalgic. Are you planning to further expand gala's functionality to use a different exploit to gain persistence in the exploit chain for an untethered jailbreak?

brokenmachine超过 1 年前

Really enjoying the writeup, thanks so much.

fabiensanglard超过 1 年前

Do you know if there is similar literature about sim unlocking of old iPhones?

评论 #37744991 未加载

评论 #37745598 未加载

thx超过 1 年前

ok linux n00bie here (w an iPhone 4)can i jailbreak it w/out knowing how to program (like how difficult ,|,

评论 #37750173 未加载

calini超过 1 年前

This looks like great work, and I am really hoping work on this continues!

3abiton超过 1 年前

This is awesome, is there something similar tor Android?

评论 #37748682 未加载

darkclouds超过 1 年前

评论 #37746685 未加载