su
binary on the system or replacing the whole system with a rooted custom ROM. Exploits aren't required to obtain root access as long as the bootloader is accessible.IMPORTANT NOTE: Beware of fake tools and spyware, which are often hiding behind domain names that are similar to the name of the jailbreaking group/author.Note that any modification you make to your device is at your own risk. While jailbreaking is typically safe, things can go wrong and you may end up bricking your device. No other party except yourself can be held accountable for any damage.
ssh [email protected]<device_ip_address>
, which will log you in as the root user:exit
to quit.root
and mobile
.alpine
.Remember to change the default password for both usersroot
andmobile
as anyone on the same network can find the IP address of your device and connect via the well-known default password, which will give them root access to your device.
alpine
:/private/etc/master.password
on your jailbroken iOS device (using an on-device shell as shown below)xxxxxxxxx
to /smx7MYTQIi2M
(which is the hashed password alpine
)22
on the iOS device to port 2222
on localhost. You can also make iproxy run automatically in the background if you don't want to run the binary every time you want to SSH over USB.Small note on USB of an iDevice: on an iOS device you cannot make data connections anymore after 1 hour of being in a locked state, unless you unlock it again due to the USB Restricted Mode, which was introduced with iOS 11.4.1
ssh -R <remote_port>:localhost:22 <username>@<host_computer_ip>
.mstg
user of the host computer:root
user of the iOS device:tar
and pull it from the device with scp
:env
command to get the directories of the app and navigate to the Documents directory.file download <filename>
you can download a file from the iOS device to your host computer and can analyze it afterwards.file upload <local_file_path>
.Payload/Telegram X.app/Telegram X
. See the following subsection for details on the extraction of the property lists.On macOS's Finder, .app directories are opened by right-clicking them and selecting "Show Package Content". On the terminal you can justcd
into them.
scp
. Run Clutch with the -i
flag to list all installed applications:dump.py
is set to either localhost with port 2222 when using iproxy, or to the actual IP address and port of the device from which you want to dump the binary. Next, change the default username (User = 'root'
) and password (Password = 'alpine'
) in dump.py
to the ones you use.Telegram.ipa
file will be created in your current directory. You can validate the success of the dump by removing the app and reinstalling it (e.g. using ios-deploy ios-deploy -b Telegram.ipa
). Note that this will only work on jailbroken devices, as otherwise the signature won't be valid.Please note that iTunes is no longer available in macOS Catalina. If you are using an older version of macOS, iTunes is still available but since iTunes 12.7 it is not possible to install apps.
ideviceinfo
, ideviceinstaller
or idevicedebug
.-m
flag which will directly start debugging without installing the app again.frida-ps -Uai
to get all apps (-a
) currently installed (-i
) on the connected USB device (-U
):unzip
or any other ZIP utility. Inside you'll find a Payload
folder containing the so-called Application Bundle (.app). The following is an example in the following output, note that it was truncated for better readability and overview:Info.plist
contains configuration information for the application, such as its bundle ID, version number, and display name._CodeSignature/
contains a plist file with a signature over all files in the bundle.Frameworks/
contains the app native libraries as .dylib or .framework files.PlugIns/
may contain app extensions as .appex files (not present in the example).iGoat-Swift
is the app binary containing the app’s code. Its name is the same as the bundle's name minus the .app extension.*.nib
files (storing the user interfaces of iOS app), localized content (<language>.lproj
), text files, audio files, etc.Info.plist
(named by convention) is the main source of information for an iOS app. It consists of a structured file containing key-value pairs describing essential configuration information about the app. Actually, all bundled executables (app extensions, frameworks and apps) are expected to have an Info.plist
file. You can find all possible keys in the Apple Developer Documentation.plutil
, which is a tool that comes natively with macOS 10.2 and above versions (no official online documentation is currently available):Info.plist
file by just inspecting the file or by using grep -i <keyword> Info.plist
:UTExportedTypeDeclarations
/ UTImportedTypeDeclarations
(see "iOS Platform APIs")Frameworks
folder in the IPA, you can also inspect them from the terminal:Frameworks
folder./Applications
directory while user-installed apps are available under /private/var/containers/
. However, finding the right folder just by navigating the file system is not a trivial task as every app gets a random 128-bit UUID (Universal Unique Identifier) assigned for its directory names.ipainstaller
(IPA Installer Console) as follows:env
will also show you all the directory information of the app. Connecting to the application with objection is described in the section "Recommended Tools - Objection"./var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/
)./var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/
).NSURLIsExcludedFromBackupKey
.Application Support
and Caches
subdirectories, but the app can create custom subdirectories.NSURLIsExcludedFromBackupKey
.NSUserDefaults
can be found in this file./var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/iGoat-Swift.app
):Info.plist
file:ios keychain dump
command to get an overview of the keychain:frida-tools==1.3.0
, frida==12.4.8
and objection==1.5.0
.