Automatically setup iOS devices

[zner0L]

Since palera1n comes with the openssh-server preinstalled, we could try to install all dependencies we need in appstraction. This would make iOS device setup almost as simple as on Android. Since Sileo and Cydia are both just fancy wrappers for apt, this should be easy enough.

[zner0L]

The sources are just installed as apt sources in /etc/sources.list.d. Here they are for my iPhone I already setup using Sileo:

iPhone:/etc/apt/sources.list.d root# cat sileo.sources 
Types: deb
URIs: https://havoc.app/
Suites: ./
Components:

Types: deb
URIs: https://repo.chariz.com/
Suites: ./
Components:

Types: deb
URIs: http://apt.thebigboss.org/repofiles/cydia/
Suites: stable
Components: main

Types: deb
URIs: https://build.frida.re/
Suites: ./
Components:

[zner0L]

And these are the package names of the installed dependencies (gathered by apt list --installed | grep <dependency>):

• com.conradkramer.open/stable,now 1.1.1-1 iphoneos-arm [installed]
• re.frida.server/stable,now 16.0.11 iphoneos-arm [installed]
• sqlite3/stable,now 3.34.1 iphoneos-arm [installed]
• com.nablac0d3.sslkillswitch2/now 0.14-3+debug iphoneos-arm [installed,local]

[zner0L]

Well, apparently I had a weird version of SSL Kill Switch. The package name should be: com.julioverne.sslkillswitch2

And I was missing their repository in my sources, so we also need this:

Types: deb
URIs: https://julioverne.github.io/
Suites: ./
Components:

[zner0L]

Also, apt update gave me some errors that the repositories were not signed and therefore it didn't download it:

iPhone:~ root# apt update                 
Ign:1 https://repo.chariz.com ./ InRelease
Ign:2 https://havoc.app ./ InRelease                                                                                             
Hit:3 https://repo.chariz.com ./ Release                                                                                         
Hit:4 https://havoc.app ./ Release                                                                                               
Ign:5 http://apt.thebigboss.org/repofiles/cydia stable InRelease                                                                 
Get:6 https://strap.palera.in iphoneos-arm64/1900 InRelease [8193 B]                                       
Get:8 http://apt.thebigboss.org/repofiles/cydia stable Release [1001 B]              
Get:10 http://apt.thebigboss.org/repofiles/cydia stable Release.gpg [181 B]
Ign:11 https://build.frida.re ./ InRelease                                
Err:12 https://build.frida.re ./ Release
  404  Not Found [IP: 2a06:98c1:3121::3 443]
Err:6 https://strap.palera.in iphoneos-arm64/1900 InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3D1B28A5FACCB53B
Ign:10 http://apt.thebigboss.org/repofiles/cydia stable Release.gpg
Reading package lists... Done
E: The repository 'https://build.frida.re ./ Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://strap.palera.in iphoneos-arm64/1900 InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 3D1B28A5FACCB53B
E: The repository 'https://strap.palera.in iphoneos-arm64/1900 InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://apt.thebigboss.org/repofiles/cydia stable Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 694D17D38764B4F4
E: The repository 'http://apt.thebigboss.org/repofiles/cydia stable Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
iPhone:~ root# apt update --allow-insecure-repositories

But since gpg isn't even installed on the iPhone I find it a bit ridiculous to check the repo keys. We can just circumvent that by doing:

iPhone:~ root#  apt --allow-insecure-repositories update

And then also use the flag --allow-unauthenticated when installing.

[baltpeter]

Well, apparently I had a weird version of SSL Kill Switch.

You had the version from the GitHub repo. The other one in the Cydia repo is a third-party build with (apparently) a different package name.

[zner0L]

I was now able to install all the dependencies on my previously freshly jailbroken iPhone (iOS 16.3.1). To summarize my steps:

iPhone:~ root# echo "Types: deb
URIs: http://apt.thebigboss.org/repofiles/cydia/
Suites: stable
Components: main

Types: deb
URIs: https://build.frida.re/
Suites: ./
Components:

Types: deb
URIs: https://julioverne.github.io/
Suites: ./
Components:" > /etc/apt/sources.list.d/appstraction.sources
iPhone:~ root# apt --allow-insecure-repositories update
iPhone:~ root# apt --allow-unauthenticated -y install re.frida.server sqlite3 com.conradkramer.open com.julioverne.sslkillswitch2

[zner0L]

Apparently, openssh being available was only in legacy palera1n, however, ssh is still available via iproxy on port 44, as the website states. So with #43 this is still a case of jailbreak-and-go.

[baltpeter]

Apparently, openssh being available was only in legacy palera1n

I just ran palera1n-c on a factory-reset iOS 15 iPhone. The installer app prompted me to set a password. There is an SSH server listening on port 22, even though I haven't done anything else. However, I can't authenticate:

❯ ssh root@10.0.0.181
(root@10.0.0.181) Password for root@Vanessas-iPhone:
UNIX authentication refused

Entering the same password on the SSH server on port 44 (through iproxy) does work.

[baltpeter]

Interestingly, openssh-server was already marked as installed in Sileo. Reinstalling that didn't fix the problem.

[baltpeter]

Reddit had the answer: I set the password for the mobile user, root doesn't have a password by default:

❯ ssh mobile@10.0.0.181
(mobile@10.0.0.181) Password for mobile@Vanessas-iPhone:
Vanessas-iPhone:~ mobile% sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for mobile: 
Vanessas-iPhone:~ root# 

After setting a password for root using sudo passwd root, I was also able to login as root via SSH.

[zner0L]

It is really weird how unreliable the ssh interface is in palera1n. They seem to change it in every release.

[baltpeter]

After removing and reapplying the jailbreak in rootful mode, openssh-server was not installed anymore. :D

[baltpeter]

But I did still have to manually set a password for root.

[zner0L]

It seems like the ssh interface on port 44 is available on a freshly jailbroken device with the users root and mobile both being able to login with alpine as a password. After bootstrapping in the palera1n app, the ssh server is still running, but I can’t log in with a password anymore, neither with root nor alpine.

[zner0L]

It seems that at least for root, this is not surprising, as the palera1n loader app runs this helper function, which disables the root password: https://github.com/palera1n/jbinit/blob/dd15fc7b82e1287e1ce7fd5ad5c7910a07693fc2/src/jbloader/helper/pwset.c#L75-L95 (It runs pw usermod 0 -H 0, which reads a password hash from stdin and then sets it to !).

[zner0L]

I can’t seem to find a way to activate password login on port 44. I think this is a bug in the dropbear ssh server that is listening at port 44. It is running as

/cores/binpack/usr/sbin/dropbear -i -S /cores/binpack/bin/sh -H /usr/sbin:/usr/bin:/sbin:/bin:/cores/binpack/usr/sbin:/cores/binpack/usr/bin:/cores/binpack/sbin:/cores/binpack/bin -r /private/var/dropbear_rsa_host_key

Though I didn’t find the -S and -H option in the dropbear manpage or the code. It seems dropbear reads the password hashes from the hash database using getpwnam() from pwd.h and I think that this might be a problem, because on iOS the hashes are not in the /etc/passwd, but in the /etc/master.passwd instead.

I tried to find out which password database might be loaded by watching file syscalls using a manual I found, but that didn’t yield any results in that regard.

[baltpeter]

@zner0L What is your goal with this?

[baltpeter]

Much as I would prefer fully automatic setup, this doesn't seem to be possible given the circumstances. And if the user already had to manually jailbreak, I feel like "Go into Sileo and install OpenSSH" doesn't seem too bad.

[zner0L]

So, you think we should just point the port forwarding at :22 and be done with it?

[baltpeter]

Do you see a realistic other option (that doesn't require a huge amount of working and waiting for other projects to release fixes)?

[zner0L]

Well, that is what I was looking for. But I guess I can conclude now that the problem is not due to user error.

[zner0L]

I opened https://github.com/palera1n/jbinit/issues/10 towards fixing the SSH problems, but I am not sure this will be fixed if I report it this way. I will not post this into the Discord, though.

[zner0L]

Huh, I was wrong. Well, I guess we’ll wait.