Posts tagged Exploit
The Chronic Dev Team has recently published a blog post titled “Weapons of Mass Exploitation” where they provide an update on the untethered jailbreak for iOS 5. It was more of a call to action, asking the jailbreak community to help send in device crash reports via a tool they released called the C-Dev Reporter. The crash reports would help the Chronic Dev Team discover a vulnerability in iOS, which they could use to help release a jailbreak.
In the past, the Chronic Dev Team released GreenPois0n, which was a popular jailbreak tool for iOS 4.2.1. A few months back, they announced that they had discovered 5 new vulnerabilities in the iOS 5 beta and recently a bug in iOS 5 that could possibly help in developing an untethered jailbreak on iOS 5.
The Chronic Dev team has given the following update on the untethered jailbreak for iOS 5:
During my JailbreakCon talk in September, I was excited to announce that the Chronic Dev team had already discovered 5 different exploits for use in our upcoming jailbreak. Unfortunately, that announcement was a bit premature, because in the subsequent weeks, Apple found & patched a (critical) few of those exploits, between the beta versions we used for testing and the final release of iOS5 on October 12.
Sadly (and trust us, we are much more sad about this than any of you could possibly be), this has prevented us from being able to release a new jailbreak as quickly as we wanted to. As I hinted at earlier this week on Twitter, I was initially disheartened to think that so many of the countless hours we’ve worked on this jailbreak seemingly went right down the drain.
Not to mention, these are by no means the first exploits that have been “lost” by Chronic Dev (or any other iOS hacking teams) in this manner. In fact, these are just a few in a long-running series of exploits that were patched by Apple before we hackers could make use of them in a free jailbreak for you, our loyal fans.
They then went on to explain the method Apple uses to find vulnerabilities:
One of the primary challenges in working with userland exploits is that, every time any program crashes on your iPhone, a “crash report” is generated and instantly sent back to Apple. As you can imagine, while we’re working out all the kinks in the exploitation of a vulnerability, we may need to crash any particular program thousands & thousands of times.
It’s possible to change your iTunes settings to stop sending this diagnostic information back to Apple, and of course everyone in Chronic Dev has made this change on all our development machines. However, even this is not always 100% effective at preventing Apple from obtaining our data. For instance, if one of us is at a friend’s house and plugs our iPhone up to his or her computer (even just to charge it), it’s very likely that computer is set up to send all our valuable data & crash reports right back to Apple.
Chronic Dev team have released a new tool called C-Dev Reporter, which uses a similar method to help find the vulnerabilities:
All this program requires from you is to attach your iOS device to your computer and click a single button!
At this point, the program copies all the crash reports off your device (which, under normal circumstances, would be sent right back to Apple), and instead sends this data to a secure, private server hosted by your friendly Chronic Dev team. Next, our program proceeds to neuter your copy of iTunes, simply by changing your settings to prevent your computer from sending any further diagnostic information from your device to Apple.
Using this agglomeration of your crash reports and our ninja skills, Chronic Dev will be able to quickly pinpoint vulnerabilities in various programs by using the same techniques Apple currently employs. At the very least, your data will help point us in the direction of which applications are the most vulnerable, so we can focus our time & energy on these with laser-like intensity. And, of course, this will also prevent Apple from accessing all your valuable data, just so they can then turn around and use it against you.
You can download C-Dev Reporter using this link. As mentioned before, the idea of the new tool is to help in identifying new vulnerabilities and in turn result in a jailbreak for future iOS software updates, but it appears to be a long term solution. The news should come as a disappointment to iOS device users who have been eagerly waiting for an untethered jailbreak and in case of iPhone 4S and iPad 2 users a jailbreak for iOS 5.
As of now, it looks like Dev team who have jailbroken iPhone 4S are the only hope when it comes to releasing to jailbreak for iPhone 4S and iPad 2.
Source: Chronic Dev Team (blog)
Apple recently released iOS 5.0.1 and the jailbreak community has been advised to not upgrade. Pod2g recently found an exploit that may help to provide an untethered jailbreak and this exploit is patched on iOS 5.0.1. If you like many are seeking to use an untethered jailbreak, it would be wise to stay on iOS 5.0 because thats where the untethered jailbreak will be. For those of you who accidentally upgraded or unknowingly upgraded to iOS 5.0.1 you may be wondering how to downgrade back to iOS 5.0. In this case, you may downgrade if you have an SHSH previously saved. To do so, follow the procedure outlined below:
Required Files and Software
- Latest version of TinyUmbrella (Mac) (Windows)
- Redsn0w 0.9.9b8 (Mac) (Windows)
- iOS 5.0 Saved SHSH (needed from before)
- iTunes (latest)
- iOS5 IPSW (iPhone 3GS, iPhone 4, iPad, iPod Touch 3G, iPod Touch 4G)
Downgrade iOS 5.0.1 To iOS 5.0 With Saved SHSH
- Connect your iPhone to your computer and open TinyUmbrella.
- Click on Save SHSH (the iOS 5 SHSH will only show if you have it saved previously). Once saved, close TinyUmbrella.
- Open RedSn0w 0.9.9b8 and go to Extras > SHSH Blobs > then click Submit (it will open a window). Here, browse to the Saved SHSH file (which is in the directory C:/User/Acount Name/.shsh folder. (the saved SHSH file for iOS 5.0)
- After submitting it, you will see the Blobs Submission Report.
- Now click on Stitch, give it the same SHSH file (which you previously submitted) and give the SHSH file, then the iOS 5.0 IPSW file. Wait for it to complete.
- Now open TinyUmbrella and go to the Advanced tab. Here, check all the boxes and then close it.
- Now restore the Stitched IPSW file with iTunes in DFU mode.
Voila – you’re done! At this point we would recommend staying on iOS 5.0 and waiting for further news from the jailbreak community devs.
For those of you who do NOT have an SHSH file saved, you are currently out of luck. If you are on iOS 5.0.1, your current option is to jailbreak utilizing RedSn0w 0.9.9b8 or Sn0wbreeze 2.8b11. This jailbreak will be a tethered jailbreak, which means that you will have to connect your iOS device to your computer and “just boot” utilizing the software for every time you need to boot. You can download BigBoss’s Semi-Tether package from Cydia to help ease the pain of a tethered jailbreak. The Semi-Tether allows you to boot your iOS device and use all the stock applications until you can “just boot” with your computer as opposed to being stuck on the boot logo. As of right now, it is a decent alternative to allow you to use your iOS device for main functions.
Apple released iOS 5.0.1 this week and there’s already a way to jailbreak it. But there are a few things to keep in mind before you jailbreak your iPhone, iPod touch, or iPad.
Some Quick Notes before jailbreaking:
- This is a tethered jailbreak, which means you’ll need to connect your device to a computer and run the software again anytime you need to reboot.
- You might not want to update to iOS 5.0.1 at all if you’re holding out hope for an untethered jailbreak. An exploit was discovered in iOS 5.0 which may be used in a future untethered jailbreak tool, but if you update now there’s no good way to roll back to iOS 5.0 so you may not be able to use the new tools once their available.
- There’s currently no public jailbreak for an iPhone 4S or iPad 2. MuscleNerd revealed that he has successfully jailbroken the devices but needs to work to package the jailbreak for a public release.
- The process is a bit more complex if you have a carrier unlocked device. You may want to wait to make sure that ultrasn0w is updated to support iOS 5.0.1 and you’ll need to preserve your older baseband before upgrading to iOS 5.0.1.
Finally, for now performing a tethered jailbreak requires you to manually select an older IPSW file. If you used iTunes to update your device to iOS 5 you should still have the correct IPSW on your computer. If not, you can download the iOS 5.0 IPSW for your device from the following links:
Alright, if you’ve read the notes carefully and you would still like to jailbreak, here’s how you can do so after updating it to iOS 5.0.1.
- Make sure you’re running iTunes 10.5 or higher for Windows or Mac. ( It’s probably a good idea to use iTunes to backup your device before you get started as well)
- Make sure you’re running iOS 5.0.1 on your device. You can do this by connecting to iTunes and following the prompts to update your software, or by going into the settings on a iOS 5.0 device, choosing General, and then tapping the Software Update option to check for updates.
- Download Redsn0w 0.9.9b8 or higher for Windows or Mac from the iPhone Dev Team.
- Unzip redsn0w to a folder on your computer, open that folder, and run redsn0w. In Windows you do this by double-clicking the redsn0w.exe file.
- Choose the “Extras” option from the main menu.
- From the following screen hit the “Select IPSW” option and navigate to the folder where you’ve stored your iOS 5.0 IPSW file. Future versions of redsn0w may make this step unnecessary.
- Click OK to dismiss the message.
- Click Back to return to the main menu.
- Make sure your iPhone, iPod touch, or iPad is turned of (press and hold the power button until the “slide to power off” image appears on the screen, and then slide your finger across to turn off your device).
- Select the Jailbreak button to start the jailbreak process.
- A message will appear letting you know that the kernel is being patch.
- Select your options from the following screen. At the very least you’ll probably want to install the Cydia store.
- Hit the Next button.
- Hit the Next button again and then follow the on-screen instructions to enter DFU mode. In case you miss them, here’s what you need to do. While your device is turned off and connected to your computer:
- Press and hold the power button for 3 seconds.
- Without lifting your finger from the power button, press and hold the home button for 10 seconds.
- Release the power button, but not the home button. Continue to hold that one for another 15 seconds.
- That’s almost it. Redsn0w should do the rest for you and apply the jailbreak. But you’re not quite done yet, because you still need to perform your first tethered boot.
- Go back to the Redsn0w main screen, select the Extras option, and click “Just boot” and follow the on-screen instructions.” (You may also want to select “Choose IPSW” again first and select your iOS 5.0 IPSW file. Redsn0w didn’t recognize my build the first time I tried booting without taking that step).
Voila! Now you’re done! You should see the Cydia icon on your home screen.
If you ever need to reboot your device, you’ll need to connect your device to your computer and run Redsn0w’s “just boot” utility again. Otherwise you will be unable to boot at all. Alternately, you could install a jailbreak tweak called SemiTether from the Cydia Store. It will allow you to reboot your device and use your phone without tethering — but you will not have access to most of the device’s functions, so it’s a temporary fix at best.
Charlie Miller, a well-known Mac hacker and researcher has reportedly found a way to sneak malware into the App Store and subsequently onto any iOS device through the use of exploiting a flaw in Apple’s restrictions on code signing. According to Forbes, the restrictions allow the malware to steal user data and take control of certain iOS functions.
Miller explained that the code signing restrictions allow only Apple’s approved commands to run in an iOS device’s memory and apps that violate these rules aren’t allowed in the App Store. He found a way to bypass Apple’s security check by exploiting a bug in iOS code signing, one which allows an app to download new and unapproved commands from a remote computer. The malware can then be used to read user’s contacts, make the phone vibrate or sound a ringtone, steal user’s photos, and more whenever the developer chooses. According to Miller:
Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check. With this bug, you can’t be assured of anything you download from the App Store behaving nicely.
To showcase the exploit he found, Miller created an app called “Instastock,” which he submitted and Apple approved. The app appears to be a simple stock ticker but it can leverage the code signing bug and communicate with Miller’s server to pull unauthorized commands onto the affected device. From there the program has the ability to send back user data including address book contacts, photos, and other files. The app has been pulled from the App Store and according to a recent tweet of his, Miller has been banned from the Apple Store and kicked out of the iOS Developer program as well.
To provide more info on the exploit, Miller will be giving a talk at the SysCan conference in Taiwan next week. He won’t be public revealing the exploit though giving Apple time to fix the issue at hand. He does do a good job of showing it off in a video, which can be found below:
For those of you who don’t already know, Charlie Miller isn’t a novice when it comes to iOS or Mac security. In 2008, Miller broke into the MacBook Air in two minutes through Safari amongst many other feats.
What do you think of the whole ordeal? Do you think Apple made a smart move in banning him? Share any thoughts below!