Introduction to Hacking iOS Apps (Part 2)
In this second part of the “hacking iOS apps” series, we’ll perform some post-jailbreak steps - ready for remote-debugging apps on a jailbroken device.
This is part 2 of a multi-part series:
In the first part of this series, we acquired and jailbroke an iOS device. In part 2, we’ll perform some updates and install necessary tools onto the device.
Remember that you may need to re-jailbreak your device every time it boots from cold.
When you start Cydia for the first time, you’ll probably be prompted to perform an Essential Upgrade. I’d go for the “Complete Upgrade”; Cydia will kill itself when this is complete.
Next, we’ll access the device over ssh.
ssh access over WiFi
The yalu jailbreak already includes the Dropbear ssh server, so no need to install OpenSSH. By default, the server is only enabled over USB - so we’ll need to change the config to allow this over WiFi.
- use Cydia to install “Filza File Manager” app
- open Filza, and find “/private/var/containers/Bundle/Application/yalu102/yalu102.app/dropbear.plist”
- use the (i) button to change “OPen with” to “Text Editor”, then tap “dropbear.plist” to edit it
127.0.0.1:22and replace it with
22(this binds the dropbear ssh daemon to all network interfaces, instead of the default which just uses loopback)
- reboot the device (and re-jailbreak if necessary)
- you should be able to ssh to the device
- now’s a great time to change the root password
- and also change the password for the user “mobile”, which is used for running most apps
In order to debug applications running on the device, we’ll to install need the
debugserver tool. You’ll need Xcode intalled on your Mac to do this.
First, take a look inside
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/ - you’ll see folders for different versions of iOS. Inside each folder is a
dmg file (disk archive). Open the correct one for your version of iOS:
hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/10.1/DeveloperDiskImage.dmg
Then copy the
debugserver binary somewhere:
cp /Volumes/DeveloperDiskImage/usr/bin/debugserver ./
Create a file called
cat > entitlements.plist
… and paste in this content:
1 2 3 4 5 6 7 8 9 10
Then close the file by pressing ^D (Control-D). Now re-sign
debugserver with this new entitlements file:
codesign -s - --entitlements entitlements.plist -f debugserver
Finally, copy this re-signed
debugserver binary to the device:
tar -czf - ./debugserver | ssh email@example.com 'tar -xzf - -C /var/root/'
Next time: we’ll debug a running app, and make some runtime changes.