1. phillmont22900's Avatar
    Hi,

    I'm working on a project called p0dex which will provide untethered jailbreak (or maybe semi-jailbreak) on iOS 6.1.3.
    And so far what I got is:
    - Gained root access (full r/w on the device's ramdisk);
    - Injected my own exploit (called p0dex BootMaster 1.0.0);
    - SSH to device w/out OpenSSH but device is on DFU mode;
    - Injected jailbroken binary files on /usr/bin;
    ; and all of them still makes the device bootable (untethered) and all the features are functional.

    So, I'm thinking to install vShare which I have the unsigned IPA on the device (no Jailed on iFunBox).
    But, it failed due to the code signature.

    So if we look back to iOS 6 beta, after installing SSH using redsn0w, we can install Cydia using cyinstall.sh through SSH on terminal.

    And I've mentioned I can get to SSH on my device, but the Terminal shows "sh4.0#" and I can't use wget, dpkg, killall, and other normal jailbroken device can do.

    So, I'm able to inject the binaries to /usr/bin but there's no wget, no dpkg, no killall. Only got the chmod and others.

    Conclusion of question:
    1. How can I get the dpkg, wget, killall, and other binaries and get them working on my device?
    2. Is there any way I can load the DEB to my fresh decrypted root FS DMG which in the IPSW?
    3. Why the .app file extracted from the IPA and copied to /Applications on device won't run? And how to make it run?
    4. How to get the command "ssh [email protected] -p 2022" working and there are no "sh4.0#"?

    Sorry for the BULK questions, I have different time zone, and please answer all my question...

    THANK YOU VERY MUCH
    2013-07-08 12:01 PM
  2. Orby's Avatar
    Long story short, it sounds like you don't have unsigned code execution on your iPhone... what model of iPhone are you working with here?
    2013-07-08 10:40 PM
  3. phillmont22900's Avatar
    Long story short, it sounds like you don't have unsigned code execution on your iPhone... what model of iPhone are you working with here?
    Actually i'm working with the iPod touch 4, but i'm sure it also works for iPhone.

    Just about 4-5 hours since I posted this question, I have successfully copied the /usr/bin binaries like dpkg, etc to my device. Nothing goes wrong.

    But, when I execute dpkg -i /cydia-1.1.8.deb, it says dpkg: unable to access dpkg status area.
    Tried to run dpkg -r /tempdir also the same.

    By the way, what is unsigned code execution? Is that some kind of binary like dpkg? What is it?

    Actually I gain root access and SSH to the device (still "sh-4.0#") from this video by macmixing:


    Thanks for the quick reply.
    2013-07-09 03:50 AM
  4. Orby's Avatar
    Actually i'm working with the iPod touch 4, but i'm sure it also works for iPhone.

    Just about 4-5 hours since I posted this question, I have successfully copied the /usr/bin binaries like dpkg, etc to my device. Nothing goes wrong.

    But, when I execute dpkg -i /cydia-1.1.8.deb, it says dpkg: unable to access dpkg status area.
    Tried to run dpkg -r /tempdir also the same.

    By the way, what is unsigned code execution? Is that some kind of binary like dpkg? What is it?

    Actually I gain root access and SSH to the device (still "sh-4.0#") from this video by macmixing:


    Thanks for the quick reply.
    No, unsigned code execution is the ability to run whatever code you want on the device, not just Apple's stock code.

    Normally, all the code on the iPhone bears a digital signature from Apple that verifies it hasn't been tampered with, and the iPhone will not run anything that does not bear a valid signature from Apple. The nature of this signature is effectively inimitable, and it's enforced from the bootrom on up. Jailbreaking requires patching out these verifications of code signature out of at least the kernel without those patches and alterations making the kernel fail its signature check.

    Binaries you add via SSH like DPKG do not bear this signature, and so will not run.

    I regret to inform you, but there are no new exploits in play here. The ramdisk harnesses the limera1n exploit to write unsigned code (editing the AFC2 daemon + fstab), thus enabling full read/write access in the filesystem. This does not exist in current production builds, nor can I fathom it existing in iOS 7 when it's finalized.
    2013-07-10 02:24 AM
  5. phillmont22900's Avatar
    Oh, I see.

    So, is there any way we could make our own tethered/untethered jailbreak? Like some tutorials or anything...

    But, all I know is the key to jailbreak a mobile device is to look for vulnerabilities in the system RAMDisk, isn't that true?

    And then, why even I have root access to my device, I still can't install un-signed IPAs?
    BTW, I know the answer to that, just simple. I don't have:
    - Unsigned code execution; and
    - *******;
    installed on my device, right?

    Anyhow, ******* comes with Debian File Package (.deb) file format. There's no IPA form of it, even .app.
    Any way I could install that on my device?

    Thanks for the quick reply.

    By the way, if we extract an IPA, apparently we will get three files:
    - iTunesMetadata.plist;
    - iTunesArtwork (which is actually a PNG image); and
    - Payload folder.
    The Payload folder contains an .app file (actually it's an archive folder) which is the 'main core' of the Application.
    Here comes the question. Why if we just simply copy the .app file to /var/stash/Applications directory on our device (which is the System Applications folder, or as shortcut: /Applications) and reboot/respring the device, the App icon shows up on the Home screen, but it doesn't run, it crashes. Why is that? And how can I get that to work?

    Note: And by the way, the "*******" in Post #5 above is not a swear word, but it's /mod edit/.
    Last edited by Bo Troxell; 2013-07-12 at 12:41 AM.
    2013-07-11 09:07 AM
  6. DC_Dave's Avatar
    Hi, this post shows you how to convert a .deb to a .ipa

    JailbreakErra: Turn Cydia applications from a .DEB to an .IPA

    And InstaSign will sign an .ipa with a developers profile so that it will install and run providing your iDevice's UDID is added to your list of developer test devices and has the accompanying mobile provisioning profile installed.

    InstaSign :: uhelios
    2013-07-11 03:54 PM
  7. Orby's Avatar
    It is by no means as easy as "why doesn't someone write a tutorial on how to jailbreak?" It is an incredibly convoluted and difficult process, requiring mastery a plethora of very challenging-to-learn engineering and coding skills (and of course, requiring different sets of exploits in different places every time, as Apple fixes all these exploits pretty quickly after they're discovered). The ramdisk is just one of dozens, if not hundreds, of potential pieces that could come together in glorious harmony for a jailbreak. Evasi0n and Absinthe, for example, do NOT use ramdisks at all on the A5/A6 chips.

    The reason those apps are crashing is because they're probably hitting both code signature errors as well as sandbox violations, running outside of their normal iTunes store location(s).

    Also, you don't need (and really shouldn't use) a piracy-related method to install applications on your device, jailbroken or otherwise...

    EDIT: If you're serious about learning how to jailbreak, I'd suggest learning how to code with C, Objective-C, and probably assembly (to start).
    Last edited by Orby; 2013-07-12 at 12:15 AM.
    2013-07-12 12:09 AM
  8. phillmont22900's Avatar
    But I saw a video on the YouT*** that someone posts about making your own tethered jailbreak.
    Its Part 1 talks about patching iBSS, iBEC, iBoot and something like that.
    But its Part 2 somehow the OP doesn't post it out.

    Btw, back to my question. I don't have any iPhone developer certificates or any $99 enrollments, but I have someone's developer_identity.cer and its Provisioning Profile (.mobileprovision).

    @DC_Dave: I have read that post by JailbreakEr** and I doesn't quite look clear. How is it supposed to 'extract' the DEB file. It's an encrypted package by Linux platform.

    Inst**ign can sign DEB files too. Just somehow my "not mine" provisioning profile can't be used to run Xcode project files on device, or sign an IPA. I have added the .cer to keychain and loaded the .mobileprovision. But still, there are an X icon on Inst**ign and there are no "iPhone Developer: XXXXXXXX (XXX)" on Xcode's code signing popup menu.

    Thanks for d'quick post anyway )
    2013-07-15 12:33 PM
  9. DC_Dave's Avatar
    Hi, I was reading another post about installing Cydia on a non jail broken device
    http://modmyi.com/forums/t-mobile/82...lbreaking.html
    And it occurred to me it would be interesting to get MovieBox and MxTube installed on a non jailbroken iOS6.1.3 iPhone 4S too.
    Reading the JailbreakErra: Turn Cydia applications from a .DEB to an .IPA tutorial, as an example, download MxTube from the Bigboss repo
    http://apt.thebigboss.org/repofiles/...mxtube_2.1.deb
    Unzip it, you get two files, then extract the data.tar.gz
    Now you have an Applications folder with the MxTube.app inside.
    Rename the Applications folder to Payload and then zip the Payload folder and rename the zip to MxTube.ipa
    Now if you have a developers licence, you should be able to sign your .ipa using InstaSign with your developer profile. Then in order to run a signed .ipa you first need to install a mobile provisioning profile on your iPhone so that it will be recognised as a developers test device. If you dont have a developers licience, InstaSign will add your iDevice to their list of test devices for a fee. InstaSign :: uhelios
    2013-07-16 12:34 AM
LINK TO POST COPIED TO CLIPBOARD