Preliminary Adventures on a Jailbroken iPad

4 minute read on

The new jailbreak for iOS 12 came out in the last few days, and as I’ve been doing some basic digging, I thought I’d share my results so far. Nothing too dramatic yet, but maybe it’ll spark some collaboration. There are a lot of write-ups out there of successful bug hunts, and I’m definitely going to start writing more. However, there’s not much on the early trial-and-error process, so hopefully this should be illuminating.

Jailbreaking

This part was pretty simple, since others have done the hard work. I just:

  • Bought the cheapest iPad directly from the nearest Apple store, $329 with 32GB and an A10 chip.
  • Downloaded Cydia Impactor from here and ran it on my personal laptop.
  • Downloaded the jailbreak from here. I had to try out a few different versions, but 3.5.0 ended up working.
  • Installed iTunes on my laptop, and set it up to trust the ipad.
  • Dragged the jailbreak .ipa file into cydia, tapped the unc0ver icon on the ipad, and let it do its thing.

Getting Started

Since Cydia installs openssh and iOS doesn’t have a bunch of command-line utilities by default, it’s useful to install some. Because I’m interested in poking around networking stuff I added the https://mcapollo.github.io/Public/ repo to cydia and installed curl, vim, nmap, and tcpdump.

Poking Around

I was curious to see what local ports are open by default, so I ran:

Joshuas-iPad:~ root# nmap 127.0.0.1 -p1-65535 -vvv
And got:
PORT  	STATE SERVICE 	REASON
22/tcp	open  ssh     	syn-ack ttl 64
1080/tcp  open  socks   	syn-ack ttl 64
1083/tcp  open  ansoft-lm-1 syn-ack ttl 64
8021/tcp  open  ftp-proxy   syn-ack ttl 64
62078/tcp open  iphone-sync syn-ack ttl 64

There’s nothing too dramatic here. Port 22 is open because I had cydia install openssh, 1080/1083 are for socks stuff, and 62078 is for wifi sync. I’m not sure what 8021 does, but it doesn’t give anything illuminating after poking at it with ncat.

From here I decided to install a bunch of sketchy apps, and see what traffic they actually generate. I’m particularly interested in seeing if any apps open additional ports, since this has been an issue in the Android ecosystem. I could simply keep running nmap, but that takes longer than just watching the traffic.

So on the ipad I ran the following, looking at the lo0 interface:

Joshuas-iPad:~ root# tcpdump -i lo0 -s0 -X -c 1000 tcp

After leaving this open and installing/opening a bunch of apps, I haven’t had any hits on the above. So I opened the ‘shortcuts’ app, created a shortcut that fetched http://127.0.0.1:1080, and saw the following as expected:

10:26:10.008710 IP localhost.51203 > localhost.socks: Flags [P.], seq 1:193, ack 1, win 6379, options [nop,nop,TS val 749027847 ecr 749027845], length 192
    0x0000:  4500 00f4 0000 4000 4006 0000 7f00 0001  E.....@.@.......
    0x0010:  7f00 0001 c803 0438 ded5 d31d 88f7 7cac  .......8......|.
    0x0020:  8018 18eb fee8 0000 0101 080a 2ca5 4207  ............,.B.
    0x0030:  2ca5 4205 4745 5420 2f20 4854 5450 2f31  ,.B.GET./.HTTP/1
    0x0040:  2e31 0d0a 486f 7374 3a20 3132 372e 302e  .1..Host:.127.0.
    0x0050:  302e 313a 3130 3830 0d0a 4163 6365 7074  0.1:1080..Accept
    0x0060:  3a20 2a2f 2a0d 0a41 6363 6570 742d 4c61  :.*/*..Accept-La
    0x0070:  6e67 7561 6765 3a20 656e 2d75 730d 0a43  nguage:.en-us..C
    0x0080:  6f6e 6e65 6374 696f 6e3a 206b 6565 702d  onnection:.keep-
    0x0090:  616c 6976 650d 0a41 6363 6570 742d 456e  alive..Accept-En
    0x00a0:  636f 6469 6e67 3a20 677a 6970 2c20 6465  coding:.gzip,.de
    0x00b0:  666c 6174 650d 0a55 7365 722d 4167 656e  flate..User-Agen
    0x00c0:  743a 2053 686f 7274 6375 7473 2f37 3838  t:.Shortcuts/788
    0x00d0:  2043 464e 6574 776f 726b 2f39 3738 2e30  .CFNetwork/978.0
    0x00e0:  2e37 2044 6172 7769 6e2f 3138 2e37 2e30  .7.Darwin/18.7.0
    0x00f0:  0d0a 0d0a

So I haven’t gotten anything too interesting on the loopback interface yet.

What about external traffic?

It’s not quite as exciting because I could listen to wifi traffic on my laptop even from a non-jailbroken iPad. But something about doing this directly on the iPad feels cooler, and it’s a convenient way to poke around and see any plain-HTTP traffic coming from apps. When the Netflix app first boots we can see:

Joshuas-iPad:~ root# tcpdump -s0 -X -c 1000 tcp and port 80
...
12:03:57.592232 IP joshuas-ipad.53681 > ec2-52-43-245-90.us-west-2.compute.amazonaws.com.http: Flags [P.], seq 1:535, ack 1, win 1029, options [nop,nop,TS val 757032922 ecr 12962902], length 534: HTTP: POST /appboot/NFAPPL-01-IPAD7=5- HTTP/1.1
    0x0000:  4500 024a 0000 4000 4006 4c29 c0a8 0257  E..J..@.@.L)...W
    0x0010:  342b f55a d1b1 0050 c641 f131 daae f844  4+.Z...P.A.1...D
    0x0020:  8018 0405 8ab6 0000 0101 080a 2d1f 67da  ............-.g.
    0x0030:  00c5 cc56 504f 5354 202f 6170 7062 6f6f  ...VPOST./appboo
    0x0040:  742f 4e46 4150 504c 2d30 312d 4950 4144  t/NFAPPL-01-IPAD
    0x0050:  373d 352d 2048 5454 502f 312e 310d 0a48  7=5-.HTTP/1.1..H
    0x0060:  6f73 743a 2061 7070 626f 6f74 2e6e 6574  ost:.appboot.net
    0x0070:  666c 6978 2e63 6f6d 0d0a 436f 6e74 656e  flix.com..Conten
    0x0080:  742d 5479 7065 3a20 6170 706c 6963 6174  t-Type:.applicat
    0x0090:  696f 6e2f 782d 7777 772d 666f 726d 2d75  ion/x-www-form-u
    0x00a0:  726c 656e 636f 6465 640d 0a43 6f6f 6b69  rlencoded..Cooki

… There was a cookie there, I don’t think it’s sensitive but I redacted it anyways.

So, I haven’t had any dramatic results thus far, but it’s been fun!

It’s been so long since we’ve had this much room to easily poke around on the latest version of iOS. If you find something, tweet me @joshmdx or email me at josh@pkc.io.

Interested in PKC’s work? Check out our new Secure Code Auditing service for Startups!

—————