Hacker News new | past | comments | ask | show | jobs | submit login
Exploiting the iPhone 4 (axleos.com)
556 points by codyd51 8 months ago | hide | past | favorite | 74 comments
Hi HN, author here! For the past three months, I've been obsessively working on gala, a jailbreak for iOS 4 that currently targets the iPhone 4. While other jailbreaks for this device, and this iOS version, already exist, the 'special sauce' of this jailbreak is that it comes with a 6-part series describing the building of a jailbreak and the many challenges that arose when jailbreaking iOS. The series includes interactive visualizations at every step of exploiting the device - from pulling memory dumps of the boot ROM to debugging a flashed filesystem image.

That said, this isn't just a bare-bones jailbreak with some writing attached: gala is a fully-fledged suite that includes a significant Python application, a Cocoa GUI for end-users, a Rust payload, Cocoa Touch games to play within the boot environment while the jailbreak completes, and C utilities that run on-device.

This was a lot of fun, and the journey included lots of milestones: when an iOS device boots, it does so in discrete stages (boot ROM, then boot loader, then kernel, etc.). This meant that my experience of developing this jailbreak also included these milestones, as over time I successfully compromised and ran each of these stages!

Building this was personally exciting because I used to regularly make and sell tweaks for jailbroken phones on Cydia. The jailbreaks themselves always seemed like inscrutable black magic, until now!

I'm really gratified to have finished up this project, and am excited to put it out into the world. Please feel welcome to have a look at the code, the writeup, or give it a spin on an old iPhone 4 that you have lying around. I hope you enjoy!

I finally created a hackernews account after lurking for years just to write this. Thanks for taking the time to capture what (for many) was a mystical black box for years. I have distinct memories of being super nervous whilst jailbreaking my iPod 4G on iOS 4, wondering what all the scrolling terminal messages meant. Then, doing it for my mates over school lunch, worrying that I might unintentionally screw up their phone and be responsible for a few hundred dollars worth of 'bricked' technology lol.

In a way, all those years later, that 'magic' of breaking through Apple's walls and running custom code is what enticed me to get into programming. I have immense gratitude to all involved.

Many days I hate working in tech and specifically what I don't understand or get done when I set goals. Reading these posts every once in a while inspires me not to give up on open source or tech communities in general. Thank you for sharing!

I love my iPhone. But I miss flashing my various Android devices with CyanogenMod. Felt so cool

If you want you can still do it today with LineageOS :)

Still feels just as cool to me!

Unfortunately, remote attestation in the form of SafetyNet (and friends), killed the custom ROM scene for many.

Aren't there ways of getting attestation working even with custom ROMs? (never tried, but I think I've read something about it in the past)

There are hacks, but they're not reliable and break with every major Android version.

I feel like there hasn't been so many viable custom ROMs ever: GrapheneOS, CalyxOS, LineageOS, /e/ OS, DivestOS, ...

I use one of them, my phone came with it, and I never had to do anything special with it. It just works. In my case it's de-Googled so I just have to use alternatives apps for e.g. Google Maps and the likes.

I had the same experience. Eventually I started writing jailbreak tweaks myself and that's what really got me into programming.

> Then, doing it for my mates

I bet Andy appreciated it!

Thanks for writing this. It takes a deep understanding to explain such complicated concepts in an accessible way. Reading it brought back fond memories of hacking on jailbreak projects deep into the night.

Thank you Ryan, I’m really glad to hear that you enjoyed it!

That was indeed enjoyable to read! Especially as someone who is still terrible at reverse engineering native code.

Now, this is a tethered jailbreak since it uses the system recovery mechanism to breach the chain of trust and ultimately boot a modified version iOS. I have to wonder how untethered jailbreaks work. Am I right that they don't go through the secure boot chain at all, leaving it intact, instead exploiting one of the privileged processes in a running system (or a non-privileged one, and then doing a separate privilege escalation exploit)? How do they gain persistence then? How do they patch the signature checks out of the kernel without tripping any signature checks in the bootloader and the kernel itself?

Often they arrange things so the kernel is re-exploited from userland during the boot process, or shortly thereafter. Some tricks that I recall being used: adding a new launch daemon; signing an app with a developer certificate; and dropping a binary that abuses quirks in the dynamic linker to evade signature checks.

This is an outstanding write-up! I’m glad to see you’re still active in the community :)

Thank you Dustin, cool to see you around!

Thanks for building this. I have an iPhone 4s with a lot of special pictures. Somehow I forgot my PIN and have to wait for years. If not because of the pictures I’ll just reset it. Can I use this to reset the PIN and copy may pictures?

I don't think so. According to [0], the passcode is used to protect filesystem encryption keys, meaning that without the code, you cannot decrypt your files. I don't know if pictures are stored encrypted, but I would assume so.

edit: apparently I might be wrong. [0] also says that for a while only Mail storage, was encrypted and the default changed in iOS 7. So if your iPhone is on iOS <= 6, you might be able to use that to gain access to the device and copy pictures. The tools at [1] might help.

[1] https://code.google.com/archive/p/iphone-dataprotection/

[0] https://darthnull.org/ios-encryption/

Thanks, maybe I should let it go. My iPhone 4s has been using iOS 9 if not mistaken.

This was a great write up! But the gut-wrenching moment was seeing the old iOS interface in all its skeuomorphic glory. Jesus, how much I hate John Ive!

You mean back when buttons looked like clickable buttons instead of this "flat" design so terrible they had to add accessibility features to work around its shittiness?

Yes, maybe Jony should have stuck to designing razor-sharp aluminium wrist rests instead of tackling software.

iPhone 4 and 4s were designed with Jobs still around to reign in Ives and others. It was after Jobs passing but before Forstall’s and Ive’s departures that things went to shit.

Forstall pushed skeuomorphism to the extreme where Apple might as well be handing you the things they’re trying to emulate and call it a day. Ives, given total freedom, took a steamroller to the UI.

The beauty of the early designs (iOS 1 - 5) was the contrast between materials in the UI. Things you could press were shiny and made to look like they had the feel of the glass screen. This was not the usual way to interact with any device at the time, as most digitizers were plastic sheets laid over the glass that had some give. In contrast, things you could not touch were made to look matte.

Between Forstall and Ives, this all got blown up.

> The beauty of the early designs (iOS 1 - 5) was the contrast between materials in the UI. Things you could press were shiny and made to look like they had the feel of the glass screen. This was not the usual way to interact with any device at the time, as most digitizers were plastic sheets laid over the glass that had some give. In contrast, things you could not touch were made to look matte.

That's why we found those UIs so clear! It all registered without thinking (i.e. frustrated fumbling and frantic guesswork). Progress isn't always improvement, but the two concepts are now dangerously muddled.

It was incredible how the icons looked far more recognizable and easily scannable in a quick glance.

The iPhone peaked at the iPhone 4 and iOS 4. Of course, there have been incremental upgrades since, but that was the last time I remember feeling like the new iPhone was a really big upgrade. The design of both the hardware and software Just Worked (antenna-gate notwithstanding).

iPhone 4 with iOS 4/5 and Snow Leopard on my MacBook in 2010-2011 was the most seamless and enjoyable computing has been for me. Nothing has surpassed those days since.

You need to learn more words because that's not what peak means.

Really enjoyed reading through the first few parts! Cool to follow along from this kind of perspective. I too read through tons of source code to figure out how other people implement things like exploits, fun to see someone else does the same :)

Haven't read this yet, but looking forward to it. Just wanted to say that I used every one of the tweaks listed at the beginning and wanted to thank you for making them. Early iOS jailbreaking was so much fun.

Super nice, I tried to run it but my old device didn't boot to begin with, unfortunately.

I also made tweaks back then, and I also found jailbreaks to be black magic. Reading this, I still kind of think so :)

Thanks so much for writing this up! I am super interested in learning about this kind of content (in particular I'd love to learn to "free" cheap wifi security cameras with my own custom firmware, dafang-hacks style, or how to create a new exploit to root kindle fire tablets, stuff like that), but it is surprisingly hard to find detailed writeups of the process.

Thanks for this, beyond anything I'll likely ever do myself but a fun read :)

FYI the link to part 3 at the bottom of part 2 [1] seems to be unreachable via mouse. On desktop the element img.terminal_in_demo_with_window is overlapping and blocking the link for me

[1] https://axleos.com/exploiting-the-iphone-4-part-2-bypassing-...

Thank you for the heads up! I’ve gone ahead and fixed this.

Magnificent post! I read it in one go, being captivated by revealing the closed gardens that are iOS. Only recently got into jailbreaking, so this is perfectly timed. Thank you so much for IMHO the best HN post of 2023.

Errata: Part 5 has trailing ```

$ /usr/sbin/asr -source /mnt2/rootfs.dmg -target /dev/disk0s1 -erase```

Thank you very much for your kind words, I'm honoured that you read it through in one sitting! In general, the nice feedback everyone has been very rewarding after working for quite a while on this.

I've gone ahead and fixed that - good catch, and thank you again!

This is very cool, and it’s a fun read so far.

I have a tangential, low-value question that I figured I might as well ask since the author is here. I have an old iPhone 4s whose passcode I have forgotten. I’d like to get some of the photos and data off. As far as I can tell, this exploit doesn’t require “legit” access to the device. Would this process be useful for retrieving data that’s already on the device?

there's proven ways to unlock older iphones. you can upload a modified ROM that increases the lockout limit. then brute force your way into the passcode.

> upload a modified ROM that increases the lockout limit. How do you do that? I have the same problem with an iPhone 4s. I should still have the Apple ID but I forgot the PIN and now I'm locked. I only want the pictures.

Good work, this is super cool!

Thank you Dan! All the best.

As others have already said, thanks for putting this together and making these topics easy to grasp all these years later. It's nice seeing some familiar irc.saurik.com handles in this thread, too :)

Nice! I might bust out my 4 and use it in public for laughs.

People are already agog when I pull out my original SE, the only phone I use (and widely considered the best iPhone Apple made).

Kinda sad, really, what people put up with now.

I really like the blog layout.

Hi Phillip. Lovely article and blog in general! Is there an RSS URL I can't find? Would like to subscribe, but I find email newsletters irritating.

Does this also work on 4s?

Unfortunately, the SecureROM vulnerability that gala exploits was patched in the ROMs shipped with the 4s. Therefore, gala won't work out-of-the-box with the 4s.

However, a newer boot ROM exploit, checkm8, has become well-known in the intervening years. The A5 (that the 4s ships) is vulnerable to checkm8, which means that it'd certainly be possible to add support for this exploit chain to a project like gala!

I've been waiting for years for a project/tool to come along that allows me access to an old iPhone 4s (S5L8940) I have that is locked with an unknown PIN. I really just want the photos on it for nostalgia reasons.

The closest I found at the time was ipwdnfu, but it doesn't support the 4s [1].

I had assumed that this meant that checkm8 (which ipwdnfu uses/includes) didn't support the 4s either. Is that not the case?

[1] https://github.com/axi0mX/ipwndfu/issues/175

The same exploit is present in the 8940, but the path to get there is slightly different and incompatible with normal PC host USB controllers due to the need to avoid ever sending a zero length packet. There are plenty of ports using low level host hardware, for example https://github.com/a1exdandy/checkm8-a5 .

I think Sliver does what you want (PIN bypass) end to end for this device.

> a jailbreak for iOS 4

presumably not, the 4s launched with iOS 5

I'd also like to know if it works on the 4S.

For fun things you can do with a good working jailbreak, check out this integrity validator that checks if your phone is free of malware by exploiting it: https://github.com/trailofbits/ios-integrity-validator

Amnesty International released Mobile Verification Toolkit to check your phone for malware, by checking encrypted backups on your computer. https://github.com/mvt-project/mvt

TrailOfBits still publishes the iVerify App, which doesn't go so far as actually exploiting your phone, but is still a useful app to have installed. It will send you a notification when there is an iOS update available, and you can configure it to remind you to hard reboot your device on some periodic schedule. I have it installed and appreciate the reminders to reboot.

I’m not sure if you realize that the person you replied to is the founder of TrailofBits :)

I didn't, haha :) classic HN

Most of this is built-in to iOS, and there's no need to "hard reboot your device on some periodic schedule."

Edit: it appears that all of the application's functions are easily done by setting reminders and simple automation using built-in iOS apps. This is crapware and I don't know why OP is pushing it as so necessary.

Periodically rebooting your device is good practice [0], and is even recommended by the NSA [1], in case you're infected with malware that was able to achieve arbitrary code execution but not able to establish persistence (which often requires a separate exploit from whichever exploit achieved the initial infection).

The iVerify app also has other features, eg a checklist of iOS features that you should disable for your security (turning off bluetooth, airdrop, etc.) which the OS does not remind you of, because it's busy encouraging you to enable them.

[0] https://security.stackexchange.com/a/270906/76104

[1] https://media.defense.gov/2021/Sep/16/2002855921/-1/-1/0/MOB...

Everything you described - periodic reminders and checklists - can still be done with the stock applications.

You can even automate turning off bluetooth and airdrop yourself, again, using the built-in automation functions.

So again: what does this 'security' app you're pushing as so necessary, do that cannot be done with the OS's built-in apps?

Also: can the peanut gallery nonsense about iOS being "busy encouraging you to enable" things. Bluetooth is only re-enabled if you disable it from the quick panel, and the OS tells you it will re-enable it. It will not re-enable it if disabled from the settings app. Airdrop does not re-enable itself, ever...

>So again: what does this 'security' app you're pushing as so necessary, do that cannot be done with the OS's built-in apps?

They didn't say security app.

They simply mentioned it as related to the comment they replied to, they aren't "pushing as so necessary". They didn't even say the word "necessary", simply explained the app and that they like it.

I don't understand the hostility.

Everything a word processor does - document layout, formatting, spell checking, copy and paste - could be done with pens, paper, a dictionary, and some glue. So why do people pay money for Microsoft Word?

Hey Siri re-enabled itself on my iPhone 12 Pro Max after I installed the iOS 17.0 update. It's one of the first things I turn off when I get a new phone and I would not have knowingly turned it back on.

Could it have been an installer fluke? Sure. But it's concerning enough.

Apple have a habit of turning features on after a new OS installation, both on iOS and macOS.

> what does this 'security' app you're pushing as so necessary

I called it a "useful app," while responding to a comment that linked to the GitHub repo that originally spawned the app. I never said it's "so necessary."

It's a free app from a reputable security company that provides reminders and checklists that I find helpful. Nobody is forcing you to install it (or to follow best practices like rebooting your device).

Super interesting read, definitely nostalgic. Are you planning to further expand gala's functionality to use a different exploit to gain persistence in the exploit chain for an untethered jailbreak?

Really enjoying the writeup, thanks so much.

Do you know if there is similar literature about sim unlocking of old iPhones?

This is a good starting point: https://www.theiphonewiki.com/wiki/Unlock

ok linux n00bie here (w an iPhone 4)

can i jailbreak it w/out knowing how to program (like how difficult ,|,

Easiest is likely a windows vm with usb passthrough

This looks like great work, and I am really hoping work on this continues!

This is awesome, is there something similar tor Android?

Android devices are generally fairly easy to root, although this depends on your manufacturer. If you're sure you want to root your device and understand all of the security implications [1], there is probably a step by step guide for your specific device on websites like XDA

[1]: https://madaidans-insecurities.github.io/android.html#rootin...


Nice. 178pages printed to PDF in case the website dissappears.

Have you done anything with this on Qemu? https://github.com/danzatt/QEMU-s5l89xx-port/blob/master/hw/...

> This made the real issue clear: iOS 4 ships with an outdated set of root SSL certificates,

Alot of old software installations are in this situation, you cant install SBS2000 or SBS2003 Premium without turning back the clock on the server to 2001 and 2004 respectively.

For any closed source, I've found Ghidra[1] to be quite easy to use and understandable.

[1] https://ghidra-sre.org/

(this is a meta-comment on HN)

The parent comment was dead when I check, and I vouched it.

While the parent comment was not too insightful, it wasn't bad either (and you can argue it is useful). Not sure why it was dead.

It seems to me HN is becoming more intolerant recently.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact