Presentation is loading. Please wait.

Presentation is loading. Please wait.

An analysis on iOS Jail-breaking Rendered by Heqing 1.

Similar presentations


Presentation on theme: "An analysis on iOS Jail-breaking Rendered by Heqing 1."— Presentation transcript:

1 An analysis on iOS Jail-breaking Rendered by Heqing 1

2 Outline What is Jailbreak Why to Jailbreak— a Self-redemption iOS firmware authentication mechanism identifying yourself (By pass the firmware authentication ) Storing the SHSH for later authentication iOS exploits classification iPhoneLinux—building your own playgournd Some related Legal Issues Some Points of Jailbreaking 2

3 3

4 What is Jailbreak A.iOS is Apple's mobile operating system, which is derived from Mac OS X, with which it shares the Darwin foundation, and is therefore a Unix-like operating system B.Apple does not permit the OS to run on third-party hardware and also has a limitation on the usage of iOS on these iDevices C.iOS has been subject to a variety of different hacking methods focusing on attaching functionality not supported by Apple. 4

5 What is jailbreak Hacking methods focusing on attaching functionality not supported by Apple is called iOS Jailbreak. A process that allows these iDevices users to gain the root access to the command line of the iOS operating system 5

6 Why to Jailbreak A.Download extensions and themes that are unavailable through the App Store (via installers such as Cydia) B.Perform other tasks, including installing non-Apple operating systems such as Linux, running multi-task on old version of iDevices C.Through the authentication server developed by the Jailbreak community built up to freely downgrade to certain version of firmware D.Cydia creator Jay Freeman estimates that over 10% of all iPhones are jailbroken. E.….. 6

7 iOS firmware authentication mechanism SHSH Blob is short for Signature HaSH. SHSH Blob is a 128-byte RSA signature used to verify the validity of firmware on newer Apple iOS devices Exclusive Chip ID, or ECID is a 16-digit hexadecimal number used to uniquely identify Apple iDevices, which is now widely considered as a new security feature from Apple, implemented to stop Jailbreaking of future firmwares. 7

8 iOS firmware authentication mechanism A.SHSH and the ECID of a device is combined to be used by Apple, as a challenge key in its challenge- response authentication protocol. B.This authentication is done in order to perform digital signing on iOS software. C.Then the response from Apple is the SHSH Blob itself, the digital signature required to validate the firmware. 8

9 iOS firmware authentication mechanism A.During the restore process, users see "Verifying restore with Apple...” B.iTunes in the authentication process is taken as the signing software and also the protocol enforcement party whenever the iOS software upgrade or restore. C.When you restore your iDevice, iTunes contacts the Apple servers, to generate signatures, SHSH, just for your device, based on the personalized firmware, the iTunes will only authorized to restore the firmware version that addressed in SHSH, which is no downgrade available. 9

10 identify yourself --By pass the firmware authentication A.Since Apple will only sign the most currently published version of firmware, that is it stops signing any lower version of iOS on corresponding iDevice. B.Some version-based Jailbreak will work only on the old unpatched firmwares. C.Nightmare ? For Jailbroken iDevices. No!!! 10

11 identify yourself --By pass the firmware authentication A.The static challenge key (ECID+SHSH), makes a saved copy of the signature every useful in a replay attack to trick the signer iTunes into validating an old firmware. B.A fake server that user can point the iTunes to by attaching a pair, like “ gs.apple.com” to the hosts file locally. C.This server mimics the functionality of Apple’s signature server, which using “on file” results rather than apple’s live challenge and response. D.This self-constructed server will play the man in the middle (MiM). 11

12 Save the SHSH for later authentication (reply attack) A.Whenever to update of iDevice to a newer firmware without saving ECID SHSH blobs, people not only lose jailbreaking but also the ability to downgrade their iDevice to an older firmware. B.Even for the user who don’t playing a jailbreak, should consider using the new “on file” service. C.There is a case that Apple releases an OS upgrade in the future, a user takes it, and then accidentally break something important, like the account, or todo list. 12

13 Save the SHSH for later authentication (reply attack) A.This server acts as a cache for any SHSH blobs it hasn’t seen, who effectively registers the users iDevice with the “on file” mechanism, therefore users can now enjoy the protections of being able to downgrade your firmware whenever in the future. B.After one has just stored a copy of Apple's sign off and then returns it at a later point, a replay attack can be sufficient any time a downgrade is required by the user. 13

14 iOS exploits classification Why firmware version are so important? Specific exploits in related firmware. Three main types of exploits: Userland Exploits, iBoot Exploits and Bootrom Exploits 14

15 iOS exploits classification Userland Exploits A.The term userland refers to all the code that is not running in kernel space but in user space, like safari or mail receiver. B.It is untethered Jailbreak, user-friendly and platform independent, as it is related to the application layer but not the iBoot layer. C.Drawbacks : filesystem access only, no very low level control of the kernel; easily fixed. 15

16 iOS exploits classification iBoot Exploits A.Render low level control to the iOS, iBoot access. B.iBoot exploits are found in the iDevice’s third bootloader, called iBoot. C.Break the code signing mechanism from iBoot, and then user can install and run program that does all the ‘evil’. D.Precious exploits, although it is tethered, since it is at a deeper level type of exploits, through which user could enable the device to accept custom firmware and probably jailbreak forever more 16

17 iOS exploits classification Boot - ROM Exploits A.The lowest level control to the iOS, completely by pass the code signing mechanism. B.iDevice’s 1st bootloader, the SecureROM (code flashed in the hardware) C.Disable signature checks and then load patched NOR firmware D.Cannot be patched easily by Apple, but need new chip. 17

18 iOS exploits classification Based on the layered exploits classification and corresponding mechanism and working environment introducing, is based on this Bootchain below: SecurityROM ->LowLevelBootloader(LLB)->iBoot->Kernel->System Software Bootrom Exploits->iBoot Exploits ->Userlands Exploits Each of high layer checks the signature of the next lower layer before loading into it. 18

19 iPhoneLinux program—building your own playground A.the iPhonelinux, which is aiming at porting linux on the iPhone and make a Free (free software) OS alternative B.Replacing the BootChain that is after iBoot: SecurityROM ->LowLevelBootloader(LLB)->iBoot- >Kernel->System Software SecurityROM->OpeniBoot->Linux Kernel->X Server- >Window Manager 19

20 iPhoneLinux program—building your own playground A.On April/21, 2010, an Android distribution based on iPhoneLinux called iDroid was released, which fully port the Linux kernel and the Google Android OS to Apple's iDevices. B.'OpeniBoot' bootloader help the team finishing the work to boot the Linux Kernel, and enables users to boot any other Linux based operating system easily. C.Build up their own playground on the iDevices, without restrictions from Apple 20

21 Legal Issues A.Copyright ? B.Unlock their phone in order to switch carriers ? C.To traffic in the tools used to make jail-breaking easy ? D.Share paid App Store applications ? 21

22 Legal Issues A.July 26, 2010, The U.S. Copyright Office has approved exemptions to the DMCA the legally Jailbreak. B.It is still possible Apple may employ technical countermeasures to prevent jailbreaking or prevent jailbroken phones from functioning, but they will not be able to sue users who jailbreak. C.Unclear whether it is legal to traffic in the tools used to make jailbreaking easy D.illegally share paid App Store applications caused some strife within the jailbreaking community 22

23 Some Points of Jailbreaking A deeper and wider desire "rejected application" (Apple likes to claim that they didn't reject these applications, they simply "didn't accept" them...). Camera recording, multi-task… Jailbreaking isn't just about applications that Apple "rejected", but is also about taking provided tools and going in a new direction. The most popular packages available in Cydia aren't even "applications", but are "extensions": seamless and pervasive modifications to existing software. 23

24 Thank you! ; ) 24


Download ppt "An analysis on iOS Jail-breaking Rendered by Heqing 1."

Similar presentations


Ads by Google