InfoSec Write-ups – Medium–
Installing an unsigned iOS app (what is the prerequisite of jailbreaking) using Linux with (semi-)legitimate tools.
Consider the following situation: we have a factory-installed iOS device (iPhone 5S here) with a recent iOS version (12.4.8) and we want to jailbreak it. We have a Linux desktop (Arch Linux in the following guide), a lightning cable for the iPhone device, but nothing more. For example, we have no genuine Apple hardware installed with macOS.
There are a lot of iOS jailbreaking solutions available for free. Most of them are iOS apps distributed in .ipa file format packages. The prerequisite of the jailbreaking procedure is installing and running these apps on the iPhone device.
Browsing the jailbreaking solutions, the one called unc0ver by Pwn20wnd seems to be suitable. The latest version can be downloaded from the “official” unc0ver.dev site (earlier versions with source are also available in its dedicated github repo).
The only problem is that we cannot install it on a non-jailbreaked device because it lacks a valid signature.
The Signature Problem
While installing 3rd party applications on an Android device is possible with self-signed certificates, iOS (without jailbreaking) only accepts certificates signed by the official Apple CA. Without a signature approved by the Apple CA, the .ipa package files cannot be installed and run.
There are various levels of code signing solutions:
- with a (paid) Developer Account: for Apple Store, Enterprise level development / testing (on multiple devices)
- with a free Apple ID: for development / testing on individual devices.
Of course, distributing malicious apps like a jailbreak is not possible through Apple Store.
Sometimes you can find downloadable jailbreak apps signed with some enterprise level development certificate that might work (after installing over-the-air or sideloading through lightning cable and the development certificate is accepted in the iOS settings), but sooner or later it will be blocked (the certificate will be revoked) by Apple. Moreover, these jailbreak apps may be a little bit different found in the “official” jailbreak distributions, so using these is obviously an extra risk factor.
The cleanest solution should be using a free Apple ID bound to the device to be jailbroken, and create a custom valid signature for the unc0ver app.
Code signing with a free Apple ID
There ̵i̵s̵ was (at the time of writing) a simple multi-platform GUI solution for code signing and deploying iOS apps (as .ipa files) to iOS devices using a free Apple ID called Cydia Impactor, but unfortunately (after some Apple/XCode API upgrade) in 2019 it stopped working.
There are alternative 3rd party solutions (not for Linux, but on Windows) which may work now until there is some newer upgrade in the signing process, but there is a robust, official method for code signing: using the Apple Developer tool XCode itself. After signing the app (especially the unc0ver jailbreak app) using XCode with the free Apple ID bound to the device, it can be installed and run on the iPhone.
There is only a minor problem: XCode runs only on macOS.
Running macOS without Apple hardware
So the question is: is it possible to run XCode somehow on Linux OS (or on other than genuine Apple hardware)? Thanks to some great people, it is possible.
There is an interesting project called Darling which is a macOS emulation layer for Linux (think of it as Wine for running Windows binaries on Linux). Unfortunately this is in early alpha status now, running XCode (and connecting iPhone) is still not working yet.
A much harder solution is virtualization: the myspaghetti/macos-virtualbox is a “push-button” installer of recent macOS systems for VirtualBox. By just running the script, it downloads and installs everything without user interaction. After a short time there is an almost fully functional macOS virtualized system ready. But there was an issue with the USB: could not connect the iPhone device to the guest macOS VM.
Another efficient virtualization platform is QEMU/KVM. The OSX-KVM project by Dhiru Kholia is an up-to-date solution for downloading, installing and running macOS on QEMU/KVM (for example on a Linux host). One of the great advantages of this solution is that QEMU/KVM supports PCI passthrough from the host to the guest using IOMMU (if your hardware supports IOMMU). So it is possible to passthrough the whole USB device to the guest, and this way it is possible to connect the iPhone to the virtual macOS system (without troubling with non-working, incompatible USB drivers on the host and the guest).
So let us use QEMU/KVM with the OSX-KVM project, and pass through the whole USB controller using IOMMU. After this, code signing (even resigning) for the connected iPhone with XCode is possible.
So let us sum it all:
- Install a QEMU/KVM virtualized macOS system using the OSX-KVM project (part 2/4)
- Configure PCI passthrough of the USB controller to connect the iPhone to the guest VM (part 3/4)
- Use XCode to sign the unc0ver jailbreak app (or anything else) for the connected iPhone and install it (part 4/4).
Pros over other solutions:
- As a result, you will have also a full-featured, working macOS virtual machine with a connected iPhone.
- We can understand and control the process better than using a one-click solution.
- The theory of this process will work in the future, while 3rd party solutions will fail after Apple upgrades and modifies APIs or others.
- “Only” trusting the official jailbreak apps is needed, no need to trust completely unknown sources of possible malicious binaries.
- No need to install dangerous (possible malicious) tools on your host computer. Even the macOS virtual machine remains clean.
- Everything is free.
- The process is definitely much more complex than other one-click (or over-the-air) solutions.
- You need a recent host hardware with enough resources.
The details are covered in the next parts soon. Stay tuned, part 2 is following, it is about installing the virtualized macOS system.