subinary on the system or replacing the whole system with a rooted custom ROM. Exploits aren't required to obtain root access as long as the bootloader is accessible.
Note that any modification you make to your device is at your own risk. While jailbreaking is typically safe, things can go wrong and you may end up bricking your device. No other party except yourself can be held accountable for any damage.
Remember to change the default password for both users
mobileas anyone on the same network can find the IP address of your device and connect via the well-known default password, which will give them root access to your device.
/private/etc/master.passwordon your jailbroken iOS device (using an on-device shell as shown below)
/smx7MYTQIi2M(which is the hashed password
22on the iOS device to port
2222on localhost. You can also make iproxy run automatically in the background if you don't want to run the binary every time you want to SSH over USB.
Small note on USB of an iDevice: on an iOS device you cannot make data connections anymore after 1 hour of being in a locked state, unless you unlock it again due to the USB Restricted Mode, which was introduced with iOS 11.4.1
ssh -R <remote_port>:localhost:22 <username>@<host_computer_ip>.
mstguser of the host computer:
rootuser of the iOS device:
tarand pull it from the device with
envcommand to get the directories of the app and navigate to the Documents directory.
file download <filename>you can download a file from the iOS device to your host computer and can analyze it afterwards.
file upload <local_file_path>.
Payload/Telegram X.app/Telegram X. See the following subsection for details on the extraction of the property lists.
On macOS's Finder, .app directories are opened by right-clicking them and selecting "Show Package Content". On the terminal you can just
dump.pyis set to either localhost with port 2222 when using iproxy, or to the actual IP address and port of the device from which you want to dump the binary. Next, change the default username (
User = 'root') and password (
Password = 'alpine') in
dump.pyto the ones you use.
Telegram.ipafile will be created in your current directory. You can validate the success of the dump by removing the app and reinstalling it (e.g. using ios-deploy
ios-deploy -b Telegram.ipa). Note that this will only work on jailbroken devices, as otherwise the signature won't be valid.
Please note that iTunes is no longer available in macOS Catalina. If you are using an older version of macOS, iTunes is still available but since iTunes 12.7 it is not possible to install apps.
-mflag which will directly start debugging without installing the app again.
frida-ps -Uaito get all apps (
-a) currently installed (
-i) on the connected USB device (
unzipor any other ZIP utility. Inside you'll find a
Payloadfolder contaning the so-called Application Bundle (.app). The following is an example in the following output, note that it was truncated for better readability and overview:
Info.plistcontains configuration information for the application, such as its bundle ID, version number, and display name.
_CodeSignature/contains a plist file with a signature over all files in the bundle.
Frameworks/contains the app native libraries as .dylib or .framework files.
PlugIns/may contain app extensions as .appex files (not present in the example).
iGoat-Swiftis the app binary containing the app’s code. Its name is the same as the bundle's name minus the .app extension.
*.nibfiles (storing the user interfaces of iOS app), localized content (
<language>.lproj), text files, audio files, etc.
Info.plist(named by convention) is the main source of information for an iOS app. It consists of a structured file containing key-value pairs describing essential configuration information about the app. Actually, all bundled executables (app extensions, frameworks and apps) are expected to have an
Info.plistfile. You can find all possible keys in the Apple Developer Documentation.
plutil, which is a tool that comes natively with macOS 10.2 and above versions (no official online documentation is currently available):
Info.plistfile by just inspecting the file or by using
grep -i <keyword> Info.plist:
Frameworksfolder in the IPA, you can also inspect them from the terminal:
/Applicationsdirectory while user-installed apps are available under
/private/var/containers/. However, finding the right folder just by navigating the file system is not a trivial task as every app gets a random 128-bit UUID (Universal Unique Identifier) assigned for its directory names.
Cachessubdirectories, but the app can create custom subdirectories.
NSUserDefaultscan be found in this file.
ios keychain dumpcommand to get an overview of the keychain: