pod2g's iOS blog

More IDA scripts to reverse the iOS kernel

2013-02-08T11:18:00.000+01:00

I added 2 scripts for IDA to help reverse the iOS kernel :

idpy-ios-kernel-fix-thumb-segments: helps IDA to correctly set the processor mode (ARM / thumb) for kexts. This way IDA will cover more code.
idc-ios-boot-args: list all possible boot-args for an iOS kernel (rely on code covered)

It is in my github.

~pod2g

HITB Amsterdam 2013 - MOBILE HACKING II

2013-02-06T13:02:00.001+01:00

I will give a hacking presentation covering iOS reverse engineering at HITB Amsterdam 2013 conference along with Blake and @p0sixninja.

More informations on my specific part soon, but you can already check details here: Mobile Hacking II details.

There's only 20 attendees possible on this class, so, if you are interested in mobile hacking and want to improve your skills and knowledge, book your tickets early.

My team @evad3rs (me included) will also probably be there at HITB for a full insight explanation of evasi0n jailbreak. CFP closes the 8th of february, I will know for sure soon after.

For news on HITB, follow @HITBSecConf on twitter, there's also this hashtag #HITB2013AMS.

~pod2g

evasi0n country statistics

2013-02-06T11:54:00.000+01:00

Interesting questions from my followers regarding origins of traffic.

Here is the repartition:

China is the #1 source of traffic with nearly 3 million visitors.

I am happy to see France in the top 3! Now I am proud of my country!

Vive la France! :-)

evasi0n statistics, 4th of february included

2013-02-06T10:22:00.000+01:00

A little update to previous post:

with the 4th included, the number of unique visitors reach 5 millions and page views 40 millions!

evasi0n.com statistics

2013-02-05T13:11:00.001+01:00

Here are partial statistics of the evasi0n.com website. Google analytics seems busy updating its database, so I can't show data for the 4th of february (certainly the most interesting figures, since it's the day of release).

Nearly 3 million unique visitors!

Thank you very much for the interest in evasi0n!

And thanks to CloudFlare for the quality of their service!

~pod2g

iOS com.apple.mobile.installation.plist rebuild

2013-02-05T11:13:00.001+01:00

People have been complaining about Weather.app not working anymore after applying evasi0n jailbreak.

We figured out that the jailbreak process messes up with com.apple.mobile.installation.plist. A fix is currently in the works and will be pushed to Cydia soon.

If you are a power-user, and want to fix the situation already, here is a script that forces a rebuild of com.apple.mobile.installation.plist :

#!/bin/bash

chmod -x /usr/libexec/mobile_installation_proxy

killall -9 mobile_installation_proxy

rm /var/mobile/Library/Caches/com.apple.mobile.installation.plist /var/mobile/Library/Caches/com.apple.LaunchServices-045.csstore

launchctl stop com.apple.mobile.installd

launchctl start com.apple.mobile.installd

while [ ! -f /var/mobile/Library/Caches/com.apple.mobile.installation.plist ];

sleep 1

done

while [ ! -f /var/mobile/Library/Caches/com.apple.LaunchServices-045.csstore ];

sleep 1

done

sleep 10

chmod +x /usr/libexec/mobile_installation_proxy

sync

reboot

Before trying it, make sure to do a backup. It has already been thoroughly tested, but it is safer.

You can contact me on twitter (follow button on the top right) if you want to discuss of this fix.

I hope it helps.

evasi0n iOS 6.x untethered jailbreak

2013-02-05T10:36:00.000+01:00

Hi there!

My team evad3rs has released evasi0n iOS 6.x jailbreak to http://evasi0n.com

Happy jailbreaking!

~pod2g

2G Lab

2013-01-15T12:24:00.001+01:00

Hi.

You reader certainly know that I have not been really present in the security field since a few months now.

The reason of this was the creation of my company, 2G Lab, focusing on 2 different areas : development and security research.

Now that our first application, named podDJ is out to the AppStore, we will focus on both subjects.

If you have a project that you would like 2G Lab to work on, contact us: contact at 2g-lab dot com.

Best wishes to you all,

Cyril (@pod2g)

WWJC 2012 slides

2012-09-30T20:16:00.003+02:00

I really enjoyed being in San Francisco the 29th of september 2012 for the WWJC conference.

I watched awesome presentations from the best iOS tweak developers out there :

Aaron Ash
Josh M. Tucker
Carsten Heinelt
@ih8sn0w
@NitoTV
Ryan Petrich
Jay Freeman
Dustin Howett
@pimskeks

I met some of my fans also ;-) Thanks to them for their support !!!

I am looking forward for the next WWJC event that should happen next year in New York.

Here are the slides of my talk : Jailbreak Techniques, WWJC 2012

Next con on my agenda : HITB 2012 in Malaysia from the 10th to the 11th of october.

sendrawpdu: send raw SMS PDU data to the iPhone 4 baseband

2012-08-17T22:17:00.000+02:00

The little tool sendrawpdu is now on github. It is based on iphone-elite's sendmodem. With an iPhone 4, and this sample code, you can verify my statements for free ;-) .

By the way, I read some comments around saying that SMS spoofing is not new, that one can modify the origin address of a SMS in the protocol and such.

Now tell me, how can you do this without paying a dedicated service which is in fact a gateway talking to the carrier at a lower layer than the PDU data ? In a SMS-SUBMIT message, you can't change the origin address.

Never trust SMS: iOS text spoofing

2012-08-17T09:52:00.000+02:00

I mentioned it on twitter a few days ago, I found a flaw in iOS that I consider to be severe, while it does not involve code execution. I am pretty confident that other security researchers already know about this hole, and I fear some pirates as well.

The flaw exists since the beginning of the implementation of SMS in the iPhone, and is still there in iOS 6 beta 4. Apple: please fix before the final release.

A SMS text is basically a few bytes of data exchanged between two mobile phones, with the carrier transporting the information. When the user writes a message, it is converted to PDU (Protocol Description Unit) by the mobile and passed to the baseband for delivery.

PDU is a protocol that is pretty dense, allowing different types of messages to be emitted. Some examples : SMS, Flash SMS, Voice mail alerts, EMS, ...

The specification is large and pretty complex. As an example, just to code the data, there are multiple possible choices : 7bit, 8bit, UCS2 (16bit), compressed or not, ...

If you either own a smartphone, or a modem and an account in a SMS gateway, you can send texts in raw PDU format (some services also exist to send a text with an HTTP request in raw PDU format). For the easiest smartphone option, there are different tools available online. I made one for the iPhone 4 that I will publicize soon.

In the text payload, a section called UDH (User Data Header) is optional but defines lot of advanced features not all mobiles are compatible with. One of these options enables the user to change the reply address of the text. If the destination mobile is compatible with it, and if the receiver tries to answer to the text, he will not respond to the original number, but to the specified one.

Most carriers don't check this part of the message, which means one can write whatever he wants in this section : a special number like 911, or the number of somebody else.

In a good implementation of this feature, the receiver would see the original phone number and the reply-to one. On iPhone, when you see the message, it seems to come from the reply-to number, and you loose track of the origin.

Why is it an issue ?

pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website. [Phishing]
one could send a spoofed message to your device and use it as a false evidence.
anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization texted them.

Now you are alerted. Never trust any SMS you received on your iPhone at first sight.

Pwnie Awards 2012

2012-07-23T21:02:00.002+02:00

I am nominated for the Pwnie Awards 2012 with the kernel exploit used in Corona !
Thank you very much to the persons who have chosen me, I am really happy and proud of it.

Here is the quote :

iOS HFS Catalog File Integer Underflow (CVE-2012-0642)

Credit: pod2g

This exploit was used for the Absinthe iOS 5.0/5.0.1 untether. It massaged the kernel heap into submission, copying over the syscall table and giving pod2g (as well as jailbreak users everywhere) a happy ending. And who doesn't love happy endings?

I can't wait for the results! It will happen the 25th of july at the BlackHat USA conference.

WWJC talk

2012-07-23T20:41:00.000+02:00

Thank you very much for all that voted to the poll about my WWJC talk (3841 total votes).

Here are the results of what most people are interested in :

Vulnerability research (45 %)
Bootrom / iBoot exploitation (34 %)
History of jailbreaks and exploits since 2007 (33 %)
Explanation of iOS security features in detail (30 %)

I will focus on these subjects, and will also talk about the exploits used in rocky-racoon / Absinthe v2.0.

WWJC details

Absinthe 2.0 is out !

2012-05-25T14:30:00.002+02:00

The 5.1.1 untethered jailbreak I talked about for weeks now is out. Hopefully.

The wait is over !

Enjoy guys !

Actual download website : http://greenpois0n.com/

~pod2g

Why jailbreak ?

2012-05-21T18:05:00.001+02:00

There are multiple reasons to jailbreak, including :

changing the iOS experience with powerful tweaks that can't ever exist on the AppStore : SBSettings, WinterBoard, IntelliScreenX, LockInfo, and lot of others...
playing retro games on console and arcade emulators.
having access to a unix shell in you pocket, and all the open source software that can run on a unix OS.

The jailbreak is not meant for (and we are totally against it) :

pirating AppStore applications

Also please don't pirate Cydia tweaks, there are people working hard on these, and the price is usually low. There's no reason to do that.

Some facts about the 5.1.1 untethered jailbreak

2012-05-21T14:51:00.002+02:00

@MuscleNerd wrote a quick sheet about the upcoming tools (link).

I won't rephrase him, so here are the contents of the file at the time of writing :

* All info below is tentative and subject to last minute refinements
* @pod2g's 5.1.1 jailbreak+untether is working out great. All devices are covered except for AppleTV3,1, which currently has no path for jailbreaking.
- the initial 5.1.1 plan used a kernel exploit from @westbaer which unfortunately precluded use in iPod3,1 and iPhone2,1
- @planetbeing stepped up and provided a kernel exploit that covers both of those. Those two JBers are the bomb!
* The 5.1.1 A5 JB is very similar to the A5 5.0.1 JB. @pimskeks has done a tremendous job supporting both 5.0.1 and 5.1.1 in absinthe
* Similar to 5.0.1, there will also be a 5.1.1 CLI "cinject" binary and redsn0w version of the 5.1.1 JB+untether. Absinthe, cinject, and redsn0w will all provide the same JB in different fashions.
- timing is indeterminate. Plans are for this week, but a number of factors can influence that.
* For those wishing to donate, we've set up a new 5.1.1 paypal URL: paypal
* Please don't pirate AppStore apps (seriously, please do not).

~pod2g

List of tested devices for the upcoming 5.1.1 jailbreak

2012-05-15T10:14:00.003+02:00

Here is the list of devices that are known to work for sure :

iPhone 3Gs
iPhone 4
iPhone 4 CDMA
iPhone 4S
iPad 1
iPad 2 Wifi
iPad 2 GSM
iPad 2 CDMA
iPad 3 Wifi
iPad 3 CDMA
iPad 3 Global
iPod 3G
iPod 4G
AppleTV 2

Here is the list of devices that won't be supported :

AppleTV 3

Remains to test (but that should work) :

iPad 2 Wifi, R2

[updated May 24th 2012, 01:00 GMT]

HITB SecConf Amsterdam

2012-05-14T17:16:00.001+02:00

It's like something big's going to happen at HITB related to jailbreaking : look at this.

No more to say ;-)

It's still time to register if you want to be there.

I would be around, and lot of people of the iOS security field !

See you there.

5.1.x untethered jailbreak FAQ

2012-05-14T12:42:00.000+02:00

I receive lots of questions either by email or twitter about the 5.1.x untethered jailbreak.

Here are some answers :

The poll about releasing now or waiting for 6.0 ended with a 64% / 33% to release ASAP. Where is the link ? ETA ? How much % done ? etc.

As I said earlier in twitter, there's still a lot to do to have a user friendly and well tested tool to install the jailbreak on end users devices. Expect a release in a couple of weeks.
Will it be compatible with my <any random iOS device> ?

It will be compatible with any device running iOS 5.1.1 except iPod 3G, iPhone 3Gs and ATV3 (right now, may change in a near future, nobody knows).
Why is it so slow to release now that the iPad 3,1 has been demoed ?

There are 16 different devices out there to work on and to test. It takes time.
May I be a beta tester ?

No, sorry. Only really trusted people (that can be counted on one hand) could have access to the jailbreak. I don't want any leak to happen.
What if I offer you 1,000,000$ ?

That doesn't change a thing.

Be patient, it's gonna happen.

See you my friends.

~pod2g

iPad 3 iOS 5.1 untethered jailbreak

2012-05-11T02:52:00.003+02:00

Credits :

- boot code execution exploit : @pod2g

- ASLR bypass exploit : @pod2g

- sandbox bypass exploit : @pod2g

- kernel vulnerability : @westbaer

- jailbreak : @pod2g

Thanks to :

@pimskeks @p0sixninja @xvolks @MuscleNerd @planetbeing @comex @0naj

IDC script to help reverse iOS 5 binaries with IDA < 6.2

2012-04-20T13:31:00.000+02:00

Apple is not standing still and in iOS 5 the default compiler is LLVM instead of GCC. It produces somewhat different code and IDA < 6.2 fail to resolve references which are now relative to PC.

I wrote a little IDC script to resolve those refs (I don't know if another solution exists...). Feel free to use it and modify it to your needs.

It's on github.

Here is an example of code dissasembled with IDA :

__text:00001000 MOV R4, 0x12344
__text:00001008 ADD R4, PC

After executing this IDC script :

__text:00001000 MOV R4, 0x12344
__text:00001008 ADD R4, PC ; off_13350

(if the address is named, the name will appear instead of off_xxx)

The xref is also added so that when you type X on address 0x13350 you'll see where it is used.

Hope it could help.

~pod2g

A working GNU Debugger on iOS >= 4.3

2012-02-24T00:04:00.000+01:00

People know that the gdb package coming from Cydia is broken since 4.3.

But here is a simple way to have a working gdb running on your iOS device : use the one from the Apple SDK !

Prerequisites :

- a jailbroken iOS >= 4.3 device

- OpenSSH should be installed on the iOS device and should listen for connections

- an OSX machine with the iOS SDK >= 4.3 installed

How to :

- remove the gdb package from Cydia

- do the following in the OSX terminal :

cd /tmp

cp /Developer/Platforms/iPhoneOS.platform/Developer/usr/libexec/gdb/gdb-arm-apple-darwin .

lipo -thin armv7 gdb-arm-apple-darwin -output gdb

nano entitlements.xml

- paste the following to the OSX terminal :

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.springboard.debugapplications</key>

<true/>

<key>get-task-allow</key>

<true/>

<key>task_for_pid-allow</key>

<true/>

</dict>

</plist>

- save the file by doing CTRL + X, then 'Y', then 'ENTER'

- now do the following in the OSX terminal :

ldid -Sentitlements.xml gdb

scp gdb root@<iOS Device IP Address>:/usr/bin/

- GDB is now installed to your iOS device.

Happy debugging !

~pod2g

Absinthe v0.3

2012-01-26T09:35:00.001+01:00

Chronic Dev Team has released a new version of the A5 jailbreak tool Absinthe.

Don't reapply if your 5.0.x device is already jailbroken as it won't change anything.

The untether payload is exactly the same, only the computer part has been improved for stability issues.

Here are the links:
- Absinthe Windows v0.3
- Absinthe MacOSX (>=10.6) v0.3
- Absinthe Linux v0.3

Absinthe update 0.1.2-2

2012-01-20T22:08:00.002+01:00

Chronic Dev Team has released a new build that'll point the web clip to greenpois0n.com instead of the absinthe dedicated page.

This will handle better the workload.

Here is the modified build link : Absinthe MacOSX (>=10.6) v0.1.2-2

Absinthe (iPhone 4S and iPad 2 untether installer) is out

2012-01-20T18:12:00.003+01:00

The greenpois0n blog is under heavy load... because it's indeed out !

Here is the download link of Chronic Dev Team's Absinthe : Absinthe MacOSX (>=10.6) v0.1.2-1

Happy Cydia !