iOS jailbreak -> layout check via cyrun

iOSJailbreak.md

JailBreak

unc0ver: ~13.5 https://unc0ver.dev/

checkra1n: ~13 (14 & A10+ experimental) https://checkra.in/

checkra1n

• download checkra
• connect your iPhone via USB
• start JB on checkra

unc0ver

Install unc0ver

• download unc0ver ipa
  • https://github.com/pwn20wndstuff/Undecimus/releases
• install Cydia Impactor for ipa install
  • http://www.cydiaimpactor.com/
• connect your iPhone via USB
• install unc0ver ipa to your iPhone with impactor
  • https://youtu.be/TqHYjLHO0zs

on unc0ver

• before jb
  • turn airplane mode ON
  • turn iOS automatic updates OFF
    • Setting App -> General -> Software Update -> Automatic Updates
  • remove OTA iOS update storage if neccessary
    • Setting App -> General -> iPhone Storage -> iOSxx.x -> delete
• on Settings tab
  • turn Reload System Daemons OFF
  • turn Install OpenSSH ON
  • turn Reinstall Cydia ON
• on Jailbreak tab
  • tap Jailbreak button
  • will reboot iPhone when succeeds in
    • RootFS mount
    • extracting package
    • jailbroken

---

ssh your iPhone

on Cydia

install

• wget
• adv-cmds
• OpenSSH

on PC terminal: ssh root@<your iPhone IP>

• check on Setting App -> Wi-Fi -> connected Wi-Fi cell's info disclosure -> IP address
• default password is alpine
  • https://www.reddit.com/r/jailbreak/comments/4zmdfd/question_what_is_openssh_and_root_password/
• [recommended] after establishing ssh connection, change your root password

Install Cyrun

https://github.com/tateu/cyrun

https://leanote.bitcode.tk/blog/post/sma11case/ios-12.1-unc0ver-Add-Cycript-Support

wget http://apt.saurik.com/debs/cycript_0.9.594_iphoneos-arm.deb
wget http://www.tateu.net/repo/files/net.tateu.cycriptlistenertweak_1.0.0_iphoneos-arm.deb
wget http://www.tateu.net/repo/files/net.tateu.cyrun_1.0.5_iphoneos-arm.deb
dpkg -i cycript_0.9.594_iphoneos-arm.deb
dpkg -i net.tateu.cycriptlistenertweak_1.0.0_iphoneos-arm.deb net.tateu.cyrun_1.0.5_iphoneos-arm.deb

which cyrun # => will echo cyrun bin path

Layout Check

cyrun -n <App Name on home icon> -e -d

applicationName: <App Name> is running (<pid>)
    executableName: xxx
    bundleIdentifier: xxx.xxx.xxx
    Cycript is inactive:
    Device is not passcode locked
    Tweak Mode
Do you want to continue enabling Cycript (y or n)?

Waiting for Process to close...
Waiting for Cycript to become active...
Successfully enabled, you may now run
    cycript -r xxx.xxx.xxx.xxx:xxxx
    
cy# [[UIApp keyWindow] recursiveDescription].toString() # => will show view hierarchy

Cycript command examples here:

https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06c-reverse-engineering-and-tampering#cycript-and-cynject

---

extract ipa file

on Cydia

install

• ipainstaller

on SSH

# check bundle id list
ipainstaller -l
# save ipa file to /var/private/mobile/Documents/
ipainstaller -b <bundle id>

from Host

scp -r root@<iOS device ip>:/path/to/ipa .