Exploiting the iPhone 4 (axleos.com)
That said, this isn't just a bare-bones jailbreak with some writing attached: gala is a fully-fledged suite that includes a significant Python application, a Cocoa GUI for end-users, a Rust payload, Cocoa Touch games to play within the boot environment while the jailbreak completes, and C utilities that run on-device.
This was a lot of fun, and the journey included lots of milestones: when an iOS device boots, it does so in discrete stages (boot ROM, then boot loader, then kernel, etc.). This meant that my experience of developing this jailbreak also included these milestones, as over time I successfully compromised and ran each of these stages!
Building this was personally exciting because I used to regularly make and sell tweaks for jailbroken phones on Cydia. The jailbreaks themselves always seemed like inscrutable black magic, until now!
I'm really gratified to have finished up this project, and am excited to put it out into the world. Please feel welcome to have a look at the code, the writeup, or give it a spin on an old iPhone 4 that you have lying around. I hope you enjoy!
82 comments
[ 2.9 ms ] story [ 291 ms ] threadEdit: it appears that all of the application's functions are easily done by setting reminders and simple automation using built-in iOS apps. This is crapware and I don't know why OP is pushing it as so necessary.
The iVerify app also has other features, eg a checklist of iOS features that you should disable for your security (turning off bluetooth, airdrop, etc.) which the OS does not remind you of, because it's busy encouraging you to enable them.
[0] https://security.stackexchange.com/a/270906/76104
[1] https://media.defense.gov/2021/Sep/16/2002855921/-1/-1/0/MOB...
You can even automate turning off bluetooth and airdrop yourself, again, using the built-in automation functions.
So again: what does this 'security' app you're pushing as so necessary, do that cannot be done with the OS's built-in apps?
Also: can the peanut gallery nonsense about iOS being "busy encouraging you to enable" things. Bluetooth is only re-enabled if you disable it from the quick panel, and the OS tells you it will re-enable it. It will not re-enable it if disabled from the settings app. Airdrop does not re-enable itself, ever...
I called it a "useful app," while responding to a comment that linked to the GitHub repo that originally spawned the app. I never said it's "so necessary."
It's a free app from a reputable security company that provides reminders and checklists that I find helpful. Nobody is forcing you to install it (or to follow best practices like rebooting your device).
Could it have been an installer fluke? Sure. But it's concerning enough.
They didn't say security app.
They simply mentioned it as related to the comment they replied to, they aren't "pushing as so necessary". They didn't even say the word "necessary", simply explained the app and that they like it.
I don't understand the hostility.
I have a tangential, low-value question that I figured I might as well ask since the author is here. I have an old iPhone 4s whose passcode I have forgotten. I’d like to get some of the photos and data off. As far as I can tell, this exploit doesn’t require “legit” access to the device. Would this process be useful for retrieving data that’s already on the device?
presumably not, the 4s launched with iOS 5
However, a newer boot ROM exploit, checkm8, has become well-known in the intervening years. The A5 (that the 4s ships) is vulnerable to checkm8, which means that it'd certainly be possible to add support for this exploit chain to a project like gala!
The closest I found at the time was ipwdnfu, but it doesn't support the 4s [1].
I had assumed that this meant that checkm8 (which ipwdnfu uses/includes) didn't support the 4s either. Is that not the case?
[1] https://github.com/axi0mX/ipwndfu/issues/175
I think Sliver does what you want (PIN bypass) end to end for this device.
In a way, all those years later, that 'magic' of breaking through Apple's walls and running custom code is what enticed me to get into programming. I have immense gratitude to all involved.
Still feels just as cool to me!
I use one of them, my phone came with it, and I never had to do anything special with it. It just works. In my case it's de-Googled so I just have to use alternatives apps for e.g. Google Maps and the likes.
I bet Andy appreciated it!
People are already agog when I pull out my original SE, the only phone I use (and widely considered the best iPhone Apple made).
Kinda sad, really, what people put up with now.
Have you done anything with this on Qemu? https://github.com/danzatt/QEMU-s5l89xx-port/blob/master/hw/...
> This made the real issue clear: iOS 4 ships with an outdated set of root SSL certificates,
Alot of old software installations are in this situation, you cant install SBS2000 or SBS2003 Premium without turning back the clock on the server to 2001 and 2004 respectively.
For any closed source, I've found Ghidra[1] to be quite easy to use and understandable.
[1] https://ghidra-sre.org/
The parent comment was dead when I check, and I vouched it.
While the parent comment was not too insightful, it wasn't bad either (and you can argue it is useful). Not sure why it was dead.
It seems to me HN is becoming more intolerant recently.
Yes, maybe Jony should have stuck to designing razor-sharp aluminium wrist rests instead of tackling software.
Forstall pushed skeuomorphism to the extreme where Apple might as well be handing you the things they’re trying to emulate and call it a day. Ives, given total freedom, took a steamroller to the UI.
The beauty of the early designs (iOS 1 - 5) was the contrast between materials in the UI. Things you could press were shiny and made to look like they had the feel of the glass screen. This was not the usual way to interact with any device at the time, as most digitizers were plastic sheets laid over the glass that had some give. In contrast, things you could not touch were made to look matte.
Between Forstall and Ives, this all got blown up.
That's why we found those UIs so clear! It all registered without thinking (i.e. frustrated fumbling and frantic guesswork). Progress isn't always improvement, but the two concepts are now dangerously muddled.
can i jailbreak it w/out knowing how to program (like how difficult ,|,
I also made tweaks back then, and I also found jailbreaks to be black magic. Reading this, I still kind of think so :)
Now, this is a tethered jailbreak since it uses the system recovery mechanism to breach the chain of trust and ultimately boot a modified version iOS. I have to wonder how untethered jailbreaks work. Am I right that they don't go through the secure boot chain at all, leaving it intact, instead exploiting one of the privileged processes in a running system (or a non-privileged one, and then doing a separate privilege escalation exploit)? How do they gain persistence then? How do they patch the signature checks out of the kernel without tripping any signature checks in the bootloader and the kernel itself?
[1]: https://madaidans-insecurities.github.io/android.html#rootin...
edit: apparently I might be wrong. [0] also says that for a while only Mail storage, was encrypted and the default changed in iOS 7. So if your iPhone is on iOS <= 6, you might be able to use that to gain access to the device and copy pictures. The tools at [1] might help.
[1] https://code.google.com/archive/p/iphone-dataprotection/
[0] https://darthnull.org/ios-encryption/
FYI the link to part 3 at the bottom of part 2 [1] seems to be unreachable via mouse. On desktop the element img.terminal_in_demo_with_window is overlapping and blocking the link for me
[1] https://axleos.com/exploiting-the-iphone-4-part-2-bypassing-...
Errata: Part 5 has trailing ```
$ /usr/sbin/asr -source /mnt2/rootfs.dmg -target /dev/disk0s1 -erase```
I've gone ahead and fixed that - good catch, and thank you again!