tag:blogger.com,1999:blog-31677550284084094312024-03-14T08:36:40.121+00:00@isa56k - the ones and zeros01010100 01101000 01100001 01101110 01101011 01110011 00100000 01100110 01101111 01110010 00100000 01101100 01101111 01101111 01101011 01101001 01101110 01100111 00100000 00111011 00101101 00101001 00001010 01101101 01100101 01000000 01101001 01110011 01100001 00110101 00110110 01101011 00101110 01100011 01101111 01101101isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-3167755028408409431.post-14110922614950218002014-08-15T13:50:00.003+01:002014-08-15T13:52:42.662+01:00SublimeText Build System for nasm (assembly)Just been playing looking at the <a href="http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/" target="_blank">SecurityTube Linux Assembly course</a> (again) and decided to use <a href="http://www.sublimetext.com/" target="_blank">SublimeText</a> as the editor for writing the code.<br />
<br />
Got frustrated with having to type the compile and link each time at the command line and was pretty sure you could configure <a href="http://www.sublimetext.com/" target="_blank">SublimeText</a> to do this for you rather than use a bash script.<br />
<br />
After a quick read of the sublime docs I found the following would work:<br />
<br />
<b><span style="color: lime;"> {</span></b><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"cmd": ["nasm -f elf32 ${file} -o ${file_path}/${file_base_name}.o && ld -o ${file_path}/${file_base_name} ${file_path}/${file_base_name}.o"],</span></b><br />
<b><span style="color: lime;"> "file_regex": "^(..[^:]*):([0-9]+):?([0-9]+)?:? (.*)$",</span></b><br />
<b><span style="color: lime;"> "working_dir": "${file_path}",</span></b><br />
<b><span style="color: lime;"> "shell": true</span></b><br />
<b><span style="color: lime;">}</span></b><br />
<br />
To add to sublime go to Tools > Build System > New Build System, copy and paste all the text above over the top of what already exists, then save as nasm. Set the Build System to nasm and then use ctrl+b or F7 to build. isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-66496394254588255042014-01-29T15:05:00.000+00:002014-01-29T15:06:30.806+00:00Sniffing iOS traffic using remote virtual interface...Today I learned something new =)<br />
<br />
It is possible to sniff the traffic from an iOS device without the need for a proxy or jailbreak!<br />
<br />
If you have a mac there is a command "<b><i>rvictl"</i></b> that allows you to capture any traffic for an attached mobile device.<br />
<br />
Simply attach a device via the USB cable and run the command rvictl with -s to start the capture and the udid of the device attached.<br />
<br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><b>rvictl -s <udid> </b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrDpFnMUxYHbLeWfb7ytE90J1L2eKSeWYp9q8anFwcrd1O7Myh-gULHilP4ozOpnAhH7a4f7iv6GyRuNhm4-koTHhJo2osAzDyd0_MGI99yfTSTab2gHPJB93hamWbKAtjXFHubKbaLLM/s1600/Screen+Shot+2014-01-29+at+14.51.57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrDpFnMUxYHbLeWfb7ytE90J1L2eKSeWYp9q8anFwcrd1O7Myh-gULHilP4ozOpnAhH7a4f7iv6GyRuNhm4-koTHhJo2osAzDyd0_MGI99yfTSTab2gHPJB93hamWbKAtjXFHubKbaLLM/s1600/Screen+Shot+2014-01-29+at+14.51.57.png" height="92" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
This will create a virtual interface:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5cQe6L-GzIxfKOAG5jUrf_0c35xnExIKEqhl6fzEvfzxuf5ntYHIAVrOEdRNv651qtSth7LHKBaoZplYCmJU6_S1Mi4_h1UZy-jSuUc3fcl7g0XzPwntSQYp3Q3Gk0i1rkIYVKJLH1VE/s1600/Screen+Shot+2014-01-29+at+14.52.31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5cQe6L-GzIxfKOAG5jUrf_0c35xnExIKEqhl6fzEvfzxuf5ntYHIAVrOEdRNv651qtSth7LHKBaoZplYCmJU6_S1Mi4_h1UZy-jSuUc3fcl7g0XzPwntSQYp3Q3Gk0i1rkIYVKJLH1VE/s1600/Screen+Shot+2014-01-29+at+14.52.31.png" height="85" width="320" /></a></div>
<br />
You can now use tcpdump or wireshark to capture the traffic.<br />
<br />
<br />
<div class="p1">
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><b> sudo tcpdump -i rvi0 -n -vv</b></span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoKAhZz03OI-d5askAg6LGLExmpY3ElxocJGTlBIrsAvlOrRx0D33_aJbE1DU0IYNv1sIH6G3bEThXB-KUohhyykIaqXdQRVhwu2KlSxhJAQJk8WntVCgYQt21c0HVobuqAucc4aiJB7Y/s1600/Screen+Shot+2014-01-29+at+14.53.31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoKAhZz03OI-d5askAg6LGLExmpY3ElxocJGTlBIrsAvlOrRx0D33_aJbE1DU0IYNv1sIH6G3bEThXB-KUohhyykIaqXdQRVhwu2KlSxhJAQJk8WntVCgYQt21c0HVobuqAucc4aiJB7Y/s1600/Screen+Shot+2014-01-29+at+14.53.31.png" height="116" width="320" /></a></div>
<br />
<br />
Handy little trick for troubleshooting and sniffing traffic that I didn't know existed. I think it will only capture WiFi traffic, I haven't played to see if it will grab mobile network traffic.<br />
<br />
Every day's a skool day!isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-54189474516488146982014-01-23T10:08:00.000+00:002014-01-23T10:08:04.318+00:00class-dump-z armv7 & armv7sI recently tried to class dump from an iPhone application that was running on an iPhone5s (7.0.4). After firing up class-dump-z and running, nothing seemed to happen, class-dump-z just hung.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiULcxETEaj5yQWZ0LpwzRA7AUHteURU2HCN0z5AOLZ12LREUAPDlcTxKxPhjZSC-w5JJQ25eZeCn1L7FEm5f3nDA1SoVnsr4VJ4x1CKtV7vihnRfRjT3HvyoE8ACNoLZ3FtNULoh9aJWA/s1600/Screen+Shot+2014-01-23+at+09.54.39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiULcxETEaj5yQWZ0LpwzRA7AUHteURU2HCN0z5AOLZ12LREUAPDlcTxKxPhjZSC-w5JJQ25eZeCn1L7FEm5f3nDA1SoVnsr4VJ4x1CKtV7vihnRfRjT3HvyoE8ACNoLZ3FtNULoh9aJWA/s1600/Screen+Shot+2014-01-23+at+09.54.39.png" height="227" width="400" /></a></div>
<br />
<br />
Wondering if this was something to do with 64bit and the iPhone5s I decided to run lipo on the binary to check it out:<br />
<br />
<br />
<div class="p1">
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><b>lipo -info Prometheus</b></span></div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnwLICtOw-q-SJ83Zy_MrkeSBWNKQGcc0wq_VYKhbb0VNIuazrjB9FzW0h6unSFjM8oLzWlXGErewvCN08L8cxyTAWlifspfQDez6qkt_Ojk3r8d4fURUXLu5Ectmrwwh-RUSWe7VpLqI/s1600/Screen+Shot+2014-01-23+at+09.55.14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnwLICtOw-q-SJ83Zy_MrkeSBWNKQGcc0wq_VYKhbb0VNIuazrjB9FzW0h6unSFjM8oLzWlXGErewvCN08L8cxyTAWlifspfQDez6qkt_Ojk3r8d4fURUXLu5Ectmrwwh-RUSWe7VpLqI/s1600/Screen+Shot+2014-01-23+at+09.55.14.png" height="130" width="400" /></a></div>
<div class="p1">
</div>
<br />
Hmm, armv7 & armv7s. Had a look at the help options on class-dump-z and noticed that there was an option to select the architecture using -u. I tried the following:<br />
<br />
<span style="color: yellow; font-family: Courier New, Courier, monospace;"><b>class-dump-z -u armv7 Prometheus</b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHOt5lgoScztyurC8PmidHIXTGp88fLBsyFmtmQ9LHk8_fq2Uzq8TxgUhdy09gh2suqtcNtw83VuOARypc9sDCBm2FPFb46l2X7Br_wHvNj3GnjlpmsbT_7UxqK9tNKQCZO8o_JFheoYI/s1600/Screen+Shot+2014-01-23+at+09.55.47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHOt5lgoScztyurC8PmidHIXTGp88fLBsyFmtmQ9LHk8_fq2Uzq8TxgUhdy09gh2suqtcNtw83VuOARypc9sDCBm2FPFb46l2X7Br_wHvNj3GnjlpmsbT_7UxqK9tNKQCZO8o_JFheoYI/s1600/Screen+Shot+2014-01-23+at+09.55.47.png" height="227" width="400" /></a></div>
<br />
<br />
<b><span style="color: yellow; font-family: Courier New, Courier, monospace;">class-dump-z -u armv7s Prometheus</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwT_PwMPcZ5OGdKzZcXtONEeC7A5jEkuCdVes5iohXw7zubzugvRUTOZezAUmCBCKh3Zur5j4hyWKGkbSpzn8wAwR43FSJhfOjmcC36wk-Vs3PZIkNgtKips9pym5GrbH1Ey9mPqtZA3U/s1600/Screen+Shot+2014-01-23+at+09.56.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwT_PwMPcZ5OGdKzZcXtONEeC7A5jEkuCdVes5iohXw7zubzugvRUTOZezAUmCBCKh3Zur5j4hyWKGkbSpzn8wAwR43FSJhfOjmcC36wk-Vs3PZIkNgtKips9pym5GrbH1Ey9mPqtZA3U/s1600/Screen+Shot+2014-01-23+at+09.56.03.png" height="226" width="400" /></a></div>
<br />
<br />
Aagain, nothing.<br />
<br />
Next option was to extract armv7 & armv7s from the binary using lipo as below:<br />
<br />
<b><span style="color: yellow; font-family: Courier New, Courier, monospace;">lipo Prometheus -extract armv7 -output Prometheus-armv7</span></b><br />
<b><span style="color: yellow; font-family: Courier New, Courier, monospace;"><br /></span></b>
<b><span style="color: yellow; font-family: Courier New, Courier, monospace;">lipo Prometheus -extract armv7s -output Prometheus-armv7s</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE4_F33EVNzg896PMd-4V8zp6veax1hFnGY1OoI_9oid2rQXWUWcMAy4uQ4NIRqdSniKLVyuR4aLtBg-OKJSEkFVWfeRYJjfaOBjUx6gUSIBLzCJ75Anm2UzfZRko5TiwxOhMJenRYtcw/s1600/Screen+Shot+2014-01-23+at+09.56.57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE4_F33EVNzg896PMd-4V8zp6veax1hFnGY1OoI_9oid2rQXWUWcMAy4uQ4NIRqdSniKLVyuR4aLtBg-OKJSEkFVWfeRYJjfaOBjUx6gUSIBLzCJ75Anm2UzfZRko5TiwxOhMJenRYtcw/s1600/Screen+Shot+2014-01-23+at+09.56.57.png" height="222" width="400" /></a></div>
<br />
<br />
I then ran class-dump-z against each, for some reason the armv7 binary didn't dump...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijsv88TnUiKRt3V-NiNHH7nvuEboH9d7SbTm1-GvPGJLhg-THPnpve7PIPlmzjjULE8NXqcCyCx0HOPql1rzN31eX0BiLQK_sI1dVxRLq6C06lGZ_jl-5EddqwVfhr1IrgJLjOfrg8fC8/s1600/Screen+Shot+2014-01-23+at+09.57.29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijsv88TnUiKRt3V-NiNHH7nvuEboH9d7SbTm1-GvPGJLhg-THPnpve7PIPlmzjjULE8NXqcCyCx0HOPql1rzN31eX0BiLQK_sI1dVxRLq6C06lGZ_jl-5EddqwVfhr1IrgJLjOfrg8fC8/s1600/Screen+Shot+2014-01-23+at+09.57.29.png" height="227" width="400" /></a></div>
<br />
<br />
But armv7s did which was enough for now, why it doesn't work using the -u option I'm not sure...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivKjqDo2yixTXKLwW7sBh47FIL5GnPkEp7fYJ6Adp22KC1jAz8E2rwk99enCxEygxEEQfeVLDmR_jnlbZm1xiDJKG0ykLLDg9-7yD4ZUjIpFVcqwFQBulPQ1OmUt76wo7sLl8KqNXXUH8/s1600/Screen+Shot+2014-01-23+at+09.58.44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivKjqDo2yixTXKLwW7sBh47FIL5GnPkEp7fYJ6Adp22KC1jAz8E2rwk99enCxEygxEEQfeVLDmR_jnlbZm1xiDJKG0ykLLDg9-7yD4ZUjIpFVcqwFQBulPQ1OmUt76wo7sLl8KqNXXUH8/s1600/Screen+Shot+2014-01-23+at+09.58.44.png" height="218" width="400" /></a></div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-66342581151910913942014-01-13T19:37:00.000+00:002014-01-13T19:38:35.871+00:00Get lucky... #CES2014 iBeacon Scavenger Hunt<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="font-family: Arial;">Last week the consumer electronics show (CES2014) was on in Las Vegas. A lot of new tech was on show from 4k ultra hd TVs to e-ciggs! To accompany the show an iPhone app was released to help delegates find stands, each other, talks and panel discussions. As well as all this a scavenger hunt was built into the app using the new iBeacon technology available iOS7. The purpose of the hunt was to find each the beacons located around the show, when you are in range of a beacon you get notified and then the beacon is marked as found in the application. First to find all the beacons gets a prize.... W00t! </span><br />
<span style="font-family: Arial;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib05t4ewn-l147k7CnXVcbv6Fca46Zgp4rcUhEZxBO1gWPGzQZQD8AW5GH89tlSgtCJ_eAOv90N9rvGTeIpWTPMWWkP8d5ptvLv-owgoO2ZueU62xFehSH2HEczPSknt4CbyoN9BNpJok/s1600/image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEib05t4ewn-l147k7CnXVcbv6Fca46Zgp4rcUhEZxBO1gWPGzQZQD8AW5GH89tlSgtCJ_eAOv90N9rvGTeIpWTPMWWkP8d5ptvLv-owgoO2ZueU62xFehSH2HEczPSknt4CbyoN9BNpJok/s400/image.png" width="225" /></a></div>
<div style="text-align: center;">
<br /></div>
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">As I have been looking into blue tooth low energy and iBeacons for a customer I decided to reverse the application and see if I could "find" all the beacons from the comfort of my seat :)</span><br />
<span style="font-family: Arial;"></span><br />
<b><u><span style="color: red;"><span style="font-family: Arial;">So what is an iBeacon?</span></span></u></b><br />
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Arial;">The <a href="http://support.apple.com/kb/HT6048" target="_blank">Apple web site</a> describes them as….</span><br />
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">"iBeacon is a new technology that extends Location Services in iOS. Your iOS device can alert apps when you approach or leave a location with an iBeacon. In addition to monitoring location, an app can estimate your proximity to an iBeacon (for example, a display or checkout counter in a retail store). Instead of using latitude and longitude to define the location, iBeacon uses a Bluetooth low energy signal, which iOS devices detect. To learn more about Bluetooth technology, see the official Bluetooth website."</span><br />
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Arial;">Basically an iBeacon is a BTLE chip that is emitting a UUID, a major location, and a minor location. You end up having something like:</span><br />
<span style="font-family: Arial;"></span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b style="background-color: black;">UUID: 3D481CE6-DAC4-48E1-AA8C-8BACD8C24557<br />
Major: 1<br />
Minor: 65001</b></span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">This is broadcast and the iOS application is scanning for the UUID, you can also include the major if this is not likely to change. When they are found by the application it does something, e.g. calculate proximity let the user know they are close by or have just left the area. A better technical write up is available <a href="http://blog.nerdery.com/2013/11/nerdery-labs-ibeacon-experiments/" target="_blank">here</a>. </span><span style="font-family: Arial;">Also the Apple developer documentation is available <a href="https://developer.apple.com/library/ios/documentation/CoreLocation/Reference/CLBeacon_class/Reference/Reference.html" target="_blank">here</a>.</span><br />
<br />
<span style="font-family: Arial;">There is a lot of hype starting to surround them and that seems to have gained since CES2014, I guess many of the journalists at the event saw the scavenger hunt. (See links below).</span><br />
<span style="font-family: Arial;"></span><br />
<a href="http://www.cultofmac.com/261988/apples-ibeacon-hyped/" target="_blank">http://www.cultofmac.com/261988/apples-ibeacon-hyped/</a>
<span style="font-family: Arial;"></span><br />
<br />
<a href="http://9to5mac.com/2014/01/02/ces-2014-to-host-ibeacon-scavenger-hunt-w-official-mobile-apps/" target="_blank">http://9to5mac.com/2014/01/02/ces-2014-to-host-ibeacon-scavenger-hunt-w-official-mobile-apps/</a>
<span style="font-family: Arial;"></span><br />
<br />
<a href="http://blogs.computerworld.com/ios/23344/apple-ibeacon-tech-lights-ces-2014" target="_blank">http://blogs.computerworld.com/ios/23344/apple-ibeacon-tech-lights-ces-2014</a> <span style="font-family: Arial;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="color: red;"><span style="font-family: Arial;"><b><u>How was I going to win the competition without moving to far?</u></b></span></span><br />
<span style="color: red; font-family: Arial;"><b><u><br /></u></b></span>
<span style="font-family: Arial;">I installed the CES application on my jailbroken iPhone and had a nose around. I used <a href="http://www.libimobiledevice.org/" target="_blank">libimobiledevice</a></span><span style="font-family: Arial;"> to start pulling back the syslog to my laptop, you can also do this using the iPhone configuration utility too. I prefer idevicesyslog in libimobiledevice a it doesn’t jump around so much on the terminal when you are looking at the console/log.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">When I fired the application up and started the scavenger hunt I noticed what looked like the UUID and some minor numbers:</span><br />
<span style="font-family: Arial;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw17IPyKrhPP5pZgC810fr9XmVMd2Ro_rLmgqI6lGdP4uyQyM9zaa-ibEEn9yPgnbABFsXKXLxU_OfiJq5bPsB05AThKXzddgDASaA0lJBhi4ovtYkDP90v5epvTBHTbfBF3nIqu2H4Bs/s1600/Screen+Shot+2014-01-13+at+16.03.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw17IPyKrhPP5pZgC810fr9XmVMd2Ro_rLmgqI6lGdP4uyQyM9zaa-ibEEn9yPgnbABFsXKXLxU_OfiJq5bPsB05AThKXzddgDASaA0lJBhi4ovtYkDP90v5epvTBHTbfBF3nIqu2H4Bs/s640/Screen+Shot+2014-01-13+at+16.03.15.png" width="640" /></a></div>
<span style="font-family: Arial;"></span>
<span style="font-family: Arial;"></span>
<span style="font-family: Arial;">Now I had these all I needed to find was the Major and I could spoof beacons.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">I ssh’d onto the device and located the application, dumped it and decrypted it using clutch. Clutch is a favourite of crackers but also very handy for hackers / pen testers to dump and application to be read in IDApro, hopper, class-dump-z or whatever. I ran strings on the binary, which showed up a few references to beacon and UUID but nothing to concrete. No major found here.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">I continued to look around the sub directories of the application and found a few SQLite databases which looked promising, the names of the tables sounded like they would hold the details of iBeacons that were found. I looked inside each of the tables but again, nothing.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">I then found a plist that looked like a default preferences file which had some interesting stuff in it and some reference to sh_targets. I assumed this was scavenger hunt targets. The data inside the key sh_target_list was all hex: </span><br />
<span style="font-family: Arial;"><br /></span>
<br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_xfSiD92lw38cRNMEdLi2NVJ1LjbapIcY7DKSZyOEbsCN85lma1PACYMML6_LMewsEuK7ya286fP7lyxsXil3pNbQIjFqevTQRg1KTWby7HygPYg69cDllVTbWTJ_X1xmocLnsKTvOKU/s1600/Screen+Shot+2014-01-12+at+23.26.37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_xfSiD92lw38cRNMEdLi2NVJ1LjbapIcY7DKSZyOEbsCN85lma1PACYMML6_LMewsEuK7ya286fP7lyxsXil3pNbQIjFqevTQRg1KTWby7HygPYg69cDllVTbWTJ_X1xmocLnsKTvOKU/s640/Screen+Shot+2014-01-12+at+23.26.37.png" width="640" /></a></div>
<span style="font-family: Arial;"></span>
<span style="font-family: Arial;"></span>
<span style="font-family: Arial;">I grabbed it and chucked it into a hex 2 ASCII converter available on the internets... Hmm looked a lot like a binary plist. </span><br />
<span style="font-family: Arial;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwVN10uAozIqF4i8EisNpL_4r-my9otR_f0ZJTrrZzPHLYspmu9Qwfc4WJktxc1EeRZz24fBloyvQr2IMZButW9HyVMnoKjYE3gxbT97liZ7ZneH-caWGuxLXOSpYub84rV8BTXRJ0bG8/s1600/Screen+Shot+2014-01-12+at+23.30.12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwVN10uAozIqF4i8EisNpL_4r-my9otR_f0ZJTrrZzPHLYspmu9Qwfc4WJktxc1EeRZz24fBloyvQr2IMZButW9HyVMnoKjYE3gxbT97liZ7ZneH-caWGuxLXOSpYub84rV8BTXRJ0bG8/s640/Screen+Shot+2014-01-12+at+23.30.12.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<span style="font-family: Arial;">I copied the hex from the original plist into a file and converted from hex into a binary file using xxd as below:</span><br />
<span style="font-family: Arial;"></span><br />
<span style="background-color: black; color: #29f914; font-family: 'Andale Mono';">xxd -r -p ces.hex ces.plist</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">I could now convert this into xml using plutil</span><br />
<span style="font-family: Arial;"></span><br />
<span style="background-color: black; color: #29f914; font-family: 'Andale Mono';">plutil -convert xml1 ces.plist</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">Now I had a plist I could look at in Xcode or any other text editor. Once opened, it was easy to see the dev had embedded the details of a found beacon inside the plist and also the minor id’s, which matched up with what I had found in the log. </span><br />
<span style="font-family: Arial;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLuY2JZ46fCnL84sSgGIOQrxs7f4UeMESpBkd3aRAg3BsPqQLle6elIFcu1GFi0gLaLYnXOT-mzOLTxcCLyJupx_Vf0nr9QuxTINI4taM8M0cHUXZvfgqjjDPvC-wOMMVigEsCHxqz-7I/s1600/Screen+Shot+2014-01-13+at+17.07.51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLuY2JZ46fCnL84sSgGIOQrxs7f4UeMESpBkd3aRAg3BsPqQLle6elIFcu1GFi0gLaLYnXOT-mzOLTxcCLyJupx_Vf0nr9QuxTINI4taM8M0cHUXZvfgqjjDPvC-wOMMVigEsCHxqz-7I/s640/Screen+Shot+2014-01-13+at+17.07.51.png" width="330" /></a></div>
<span style="font-family: Arial;"></span>
<span style="font-family: Arial;"></span>
<span style="font-family: Arial;">This left me with two options, I keep looking for the major and spoof each beacon or I see if I can set the individual beacons to found = YES in the plist.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">After hunting around a little bit longer for the major I decided the quickest route to success would be by trying to set the found key to = YES.</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">To get everything back into the right order I would need to do the following:</span><span style="font-family: Arial;"><br /></span><br />
<br />
<ul>
<li><span style="font-family: Courier New, Courier, monospace;">Edit the plist with the keys ‘found' and ‘i_beacon_minor' in and set the found key to YES</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">Use plutil to convert the plist back to binary</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">Grab a hex dump of the modified plist and copy hex back into the default preferences plist.</span></li>
<li><span style="font-family: Courier New, Courier, monospace;">Convert the default preferences plist back to binary and then copy over to my device and replace the old file.</span></li>
</ul>
<span style="font-family: Arial;"><br /></span>
<span style="font-family: Arial;">Set key value to true</span><span style="font-family: Arial;">:</span><br />
<span style="font-family: Arial;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyJA0QZjVaqNMMvhvcmHFb93Gsl7Efq5HFYXNp_HSem7v_M4kPt1DRo8X5V3sxLugfq2KGjyMghqn3Xkm7orblRuhyFjHLjqOh-P29z69C0CnXuFKQC4fqPYQ6Ia0qqDDaQtcUT1BJLb4/s1600/Screen+Shot+2014-01-13+at+17.19.59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyJA0QZjVaqNMMvhvcmHFb93Gsl7Efq5HFYXNp_HSem7v_M4kPt1DRo8X5V3sxLugfq2KGjyMghqn3Xkm7orblRuhyFjHLjqOh-P29z69C0CnXuFKQC4fqPYQ6Ia0qqDDaQtcUT1BJLb4/s640/Screen+Shot+2014-01-13+at+17.19.59.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="font-family: Arial;">Convert back to binary plist:</span><br />
<span style="font-family: Arial;"></span><br />
<span style="background-color: black; color: #29f914; font-family: 'Andale Mono';">plutil -convert binary ces.plist</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">I then used hexfiend to dump the hex, I guess I could of used hex dump or xxd but hexfeind forted the hex nicely and didn’t grab the offset when doing cut and paste:</span><br />
<span style="font-family: Arial;"></span><br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEZCiPV-Z2ls2jX0qQpsMgpu58RmGHoPcsRm-DW1X-GQWxmqS4Zwas5KvUcNObUJS2vp9LMlPhcpknNJBUQlCERaF5X6sjQCRb4pVpAReQHf8diaa3c65XLyHpvwLLE8zMds7Ey7eL_hc/s1600/Screen+Shot+2014-01-13+at+17.23.12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEZCiPV-Z2ls2jX0qQpsMgpu58RmGHoPcsRm-DW1X-GQWxmqS4Zwas5KvUcNObUJS2vp9LMlPhcpknNJBUQlCERaF5X6sjQCRb4pVpAReQHf8diaa3c65XLyHpvwLLE8zMds7Ey7eL_hc/s640/Screen+Shot+2014-01-13+at+17.23.12.png" width="324" /></a></div>
<span style="font-family: Arial;"></span>
<span style="font-family: Arial;"></span>
<span style="font-family: Arial;">Once pasted into the default preferences post I now had all I needed to win.</span><br />
<span style="font-family: Arial;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_ELkQkdVtHZB-wkhbhqIORipsYufhUOAE4QvLsPRNa09VvQ7x6QXmbOe5YsK64XWSRqb7fnxRfVtOgJknlWgFcaeiO4zWuElHi3R8P5KxWPk7CcNjtcTZlXMlTcWwHd3RuB0SK4mk_kY/s1600/Screen+Shot+2014-01-13+at+17.35.08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_ELkQkdVtHZB-wkhbhqIORipsYufhUOAE4QvLsPRNa09VvQ7x6QXmbOe5YsK64XWSRqb7fnxRfVtOgJknlWgFcaeiO4zWuElHi3R8P5KxWPk7CcNjtcTZlXMlTcWwHd3RuB0SK4mk_kY/s640/Screen+Shot+2014-01-13+at+17.35.08.png" width="640" /></a></div>
<div style="text-align: center;">
<br /></div>
<span style="font-family: Arial;">I SCP'd it over to the device and fired up the application… WINNER</span><br />
<span style="font-family: Arial;"></span><br />
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho0l142-77UrhabhcX6fQz0Kv-rJwxfOKQJ8xhp2tI8tw0SzPUBNemTIdC2SBkLZCYNJ2Y1yfrCdLVtN52T6B6vpfDErV4izcWlmdtnMQq4ffaMKW-29OM4BSJjL1bUUwVOuyM0_W1HCw/s1600/photo+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEho0l142-77UrhabhcX6fQz0Kv-rJwxfOKQJ8xhp2tI8tw0SzPUBNemTIdC2SBkLZCYNJ2Y1yfrCdLVtN52T6B6vpfDErV4izcWlmdtnMQq4ffaMKW-29OM4BSJjL1bUUwVOuyM0_W1HCw/s400/photo+1.PNG" width="225" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg08VzqJgRxTvTCZZOMVwce5nR6Zd93qozJ6ehbsYIykgHzjD-67TA1tGy1m5OyutiA85j-Nl3A5KAX5iBY_mhka6qjCk4VmtHWQ4h4JTECE3uHZKM71EIoPRN-P8-aNBn4a8OuNoRDGzA/s1600/photo+2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg08VzqJgRxTvTCZZOMVwce5nR6Zd93qozJ6ehbsYIykgHzjD-67TA1tGy1m5OyutiA85j-Nl3A5KAX5iBY_mhka6qjCk4VmtHWQ4h4JTECE3uHZKM71EIoPRN-P8-aNBn4a8OuNoRDGzA/s400/photo+2.PNG" width="225" /></a></div>
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">I’m not sure what would have happened if I had tried to claim the prize remotely? I’m guessing that they may have had some metrics that could have identified how quickly I found each beacon, making it physically impossible to have visited each beacon individually. However with some further digging I‘m sure I could have found the major ID and spoofed each beacon with a raspberry Pi or another iOS device. Setting some reasonable times between each it could have been believable.... A free 4K UHD curved TV would have been good =D</span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">If you are planning to use iBeacons for prizes or some kind of promotion code then I would suggest you use a web server backend with reasonable protection to stop this kind of hack, it wasn’t that hard and could be done pretty quickly. </span><br />
<span style="font-family: Arial;"></span><br />
<span style="font-family: Arial;">If you believe the hype iBeacons have a big future, it will be interesting to see the implementations and how people secure them properly.</span>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-3885765794697684982014-01-03T12:07:00.002+00:002014-01-03T12:08:46.554+00:00Decrypting iOS Kernel Cache (A4 CPU Devices)Decrypting the iOS kernel cache on devices with an A4 or lower CPU is relatively straight forward thanks to the limera1n boot exploit. This allows the extraction of the IV & Keys for each file within the IPSW software bundle which are published on the<a href="http://theiphonewiki.com/wiki/Firmware" target="_blank"> iPhone Wiki</a>. Each time new firmware package is released the keys are updated.<br />
<div>
<br /></div>
<div>
I believe it is possible to dump the kernel cache from a device with an A5 and greater chip but so far I haven't played with this. This has to be done from memory rather than extracting from the IPSW which is more complex.</div>
<div>
<br /></div>
<div>
To decrypt your kernel you first need to download a copy of the IPSW package for your device, I'm going to use the iPhone 4 GSM 7.0.4 firmware available here:</div>
<div>
<br /></div>
<div>
<a href="http://appldnld.apple.com/iOS7/031-1831.20131114.P3wE4/iPhone3,1_7.0.4_11B554a_Restore.ipsw">http://appldnld.apple.com/iOS7/031-1831.20131114.P3wE4/iPhone3,1_7.0.4_11B554a_Restore.ipsw</a></div>
<div>
<br /></div>
<div>
Once the firmware has downloaded you can simply unzip the IPSW file and extract the contents, you should have the following:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWxAU2TRdKWryMiaoRSpUpkBjkgVXhFqyxLOISfPvqf2yrL7rxtnOEpN9g76-bCLvx444C-MQqOHUQiZPmW8wU2xisMnCxy0U7fUo2P-8PMQZ12KMHRcG-hLEQuJ6KvHaec1odYDspmbw/s1600/Screen+Shot+2014-01-03+at+10.27.58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="451" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWxAU2TRdKWryMiaoRSpUpkBjkgVXhFqyxLOISfPvqf2yrL7rxtnOEpN9g76-bCLvx444C-MQqOHUQiZPmW8wU2xisMnCxy0U7fUo2P-8PMQZ12KMHRcG-hLEQuJ6KvHaec1odYDspmbw/s640/Screen+Shot+2014-01-03+at+10.27.58.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
The file you are interested in is kernelcache.release.xx. In this instance, the file we want is kernelcache.release.n90. n90 is specific device identifier for the iPhone 4, each device will have it's own identifier. If you are using an iPad or iPod then the identifier here will be different.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfzWA1cAVho5Bp8aZeOEECa4gKMGw0S0f0RA0XBmoOBfEeUTZcgBM9ZKfdOW14gX4lfn0TvoejIG4E_P62dLZ4zA4Sm1f6MagR6Bihl8hWY9R2ujbGcpaHwzgaHHisTpauipX34N4Fwhk/s1600/Screen+Shot+2014-01-03+at+10.29.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="57" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfzWA1cAVho5Bp8aZeOEECa4gKMGw0S0f0RA0XBmoOBfEeUTZcgBM9ZKfdOW14gX4lfn0TvoejIG4E_P62dLZ4zA4Sm1f6MagR6Bihl8hWY9R2ujbGcpaHwzgaHHisTpauipX34N4Fwhk/s640/Screen+Shot+2014-01-03+at+10.29.49.png" width="640" /></a></div>
<div>
<br /></div>
<div>
The kernel is an img3 format file that is encrypted and also compressed using lzss so we need to decrypt it then decompress it.</div>
<div>
<br /></div>
<div>
To decrypt you can use either xpwn or decodeimg3, I opted for decodeimg3 as it was a single perl script! You can download decodeimg3 from here:<br />
<br />
<a href="http://nah6.com/~itsme/cvs-xdadevtools/iphone/tools/decodeimg3.pl">http://nah6.com/~itsme/cvs-xdadevtools/iphone/tools/decodeimg3.pl</a><br />
<br />
I had a couple of issues running the script first off as I didn't have <i>"</i><span style="white-space: pre-wrap;"><i>Crypt::Rijndael"</i> perl module installed (info on installing perl modules <a href="http://www.cpan.org/modules/INSTALL.html" target="_blank">here</a>). Once this was installed it worked fine.</span></div>
<div>
<br /></div>
<div>
To decrypt the kernelcache you will also need the IV and Key from the iPhone wiki for the specific firmware build you are interested in. The iPhone 4 GSM IV & Key can be found here:<br />
<br />
<a href="http://theiphonewiki.com/wiki/InnsbruckTaos_11B554a_(iPhone_4_GSM)">http://theiphonewiki.com/wiki/InnsbruckTaos_11B554a_(iPhone_4_GSM)</a><br />
<br />
Once you are on that page locate the IV & Key for kernelcache.release.n90 as below, you will need them in a minute:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJcBlDoDGDn9Me9QMohBCb8KmQSq31qwtyvfpLZ-9VaTFWLYf_xASQE_dQS7f-0zp-N1p3jjIXZlItp8izPHOg6AnK8kNGx0LMjbbabKsEhoWi8efGSLzU24mZr6YbHPTX01A3juxkz2Y/s1600/Screen+Shot+2014-01-03+at+10.47.25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJcBlDoDGDn9Me9QMohBCb8KmQSq31qwtyvfpLZ-9VaTFWLYf_xASQE_dQS7f-0zp-N1p3jjIXZlItp8izPHOg6AnK8kNGx0LMjbbabKsEhoWi8efGSLzU24mZr6YbHPTX01A3juxkz2Y/s640/Screen+Shot+2014-01-03+at+10.47.25.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To decrypt your extracted kernel use the following command:</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="p1">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ ./decodeimg3 <YOUR KERNEL> -v -o <DECRYPTED KERNEL> -k <KEY FROM WIKI> -iv <IV FROM WIKI> </b></span></div>
<div class="p1">
</div>
<ul>
<li><span style="font-size: x-small;"><YOUR KERNEL> = kernelcache.release.n90 we extracted from IPSW earlier.</span></li>
<li><span style="font-size: x-small;">-v = Verbose</span></li>
<li><span style="font-size: x-small;">-o = Output file, I use the same file name and append .lzss as it is easy to see it's lzss for decompressing.</span></li>
<li><span style="font-size: x-small;">-k = Key from wiki</span></li>
<li><span style="font-size: x-small;">-iv = IV from wiki</span></li>
</ul>
<br />
<div class="p1">
<br /></div>
<div class="p1">
Below is the output from decrypting the kernel:</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivjqWTk1UrPcVfF6HWaJxCVrc1UiTk_ln60Jkbw_fr2r6T8VkXW8vO6X3RRIByQK9ms7LLrRrJDTtulZhyphenhyphenZYj6ObjyZj_2sr9KK0vqcUT8Gd8x8imMtLVtH2GFhPXNanSCF-CZQgUSXTU/s1600/Screen+Shot+2014-01-03+at+10.53.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivjqWTk1UrPcVfF6HWaJxCVrc1UiTk_ln60Jkbw_fr2r6T8VkXW8vO6X3RRIByQK9ms7LLrRrJDTtulZhyphenhyphenZYj6ObjyZj_2sr9KK0vqcUT8Gd8x8imMtLVtH2GFhPXNanSCF-CZQgUSXTU/s640/Screen+Shot+2014-01-03+at+10.53.03.png" width="640" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
<br /></div>
<div class="p1">
Next step is to decompress the kernel using lzssdec, the source code can be found here:</div>
<div class="p1">
<br /></div>
<div class="p1">
<a href="http://nah6.com/~itsme/cvs-xdadevtools/iphone/tools/lzssdec.cpp">http://nah6.com/~itsme/cvs-xdadevtools/iphone/tools/lzssdec.cpp</a></div>
<div class="p1">
<br /></div>
<div class="p1">
You will need to compile this, I used the following command to compile it on OSX:</div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<div class="p1">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ g++ lzssdec.cpp -o lzssdec</b></span></div>
<div class="p1">
<br /></div>
<div class="p1">
Now you need to know the offset at where the lzss section starts. Opening the decrypted and uncompressed kernel in a hex editor and looking for 0xFEEDFACE should show you the offset. The screen shot below shows this:</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLLS33XaPpjKC01kh2A8Q901AWyLyIP7OBRMxaibtdmHJ4svAil_u1rOdG21YDEK7n3ElTM0p2pTBoP8_l5FSI67JurRVqOIIsACc8_lrZEE4Zxmnz56fET027iNzDbjw-qPktwN7n6dY/s1600/Screen+Shot+2014-01-03+at+11.33.19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLLS33XaPpjKC01kh2A8Q901AWyLyIP7OBRMxaibtdmHJ4svAil_u1rOdG21YDEK7n3ElTM0p2pTBoP8_l5FSI67JurRVqOIIsACc8_lrZEE4Zxmnz56fET027iNzDbjw-qPktwN7n6dY/s400/Screen+Shot+2014-01-03+at+11.33.19.png" width="400" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
The offset we need is 0x0180 to decompress our kernelcache.release.n90.lzss file.</div>
<div class="p1">
<br /></div>
<div class="p1">
Using the lzssdec tool we compiled earlier, the correct offset and our decrypted kernel, we can now decompress to give us a mach-0 arm binary using the command below: </div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<div class="p1">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ lzssdec -o 0x0180 < kernelcache.release.n90.lzss > kernelcache.release.n90.cleartext</b></span></div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjymoNf-XqExkYBGpl9zrcB_CgLjXdi3u7rH4BimA4OQDLZgssLItFxmGrV5JO3bRIqjKKO3ykxDa52eBtc9JoRZaDpQ-uY08yY__EIe6Er3A9XwyDp6LpImTa8PoUKfcojDk0TNcJL0YY/s1600/Screen+Shot+2014-01-03+at+11.39.37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="25" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjymoNf-XqExkYBGpl9zrcB_CgLjXdi3u7rH4BimA4OQDLZgssLItFxmGrV5JO3bRIqjKKO3ykxDa52eBtc9JoRZaDpQ-uY08yY__EIe6Er3A9XwyDp6LpImTa8PoUKfcojDk0TNcJL0YY/s640/Screen+Shot+2014-01-03+at+11.39.37.png" width="640" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
To check you have a decrypted and decompressed mach-o ARM binary use the following:</div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<div class="p1">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ file kernelcache.release.n90.cleartext </b></span></div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvU3ZWrNaJsNGdU7_h6TsEaLUiCi3DbssBtdnEI7Jyn3oIwZs_gusxkH0F59J38fwe4gQw7ZgusJwafAkDwU-bW4Z_1UgfxLPBatQ8DVjKrkj28tKwn9HhJOGqwUPk5H4bRFUtEcJCb0k/s1600/Screen+Shot+2014-01-03+at+11.40.02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvU3ZWrNaJsNGdU7_h6TsEaLUiCi3DbssBtdnEI7Jyn3oIwZs_gusxkH0F59J38fwe4gQw7ZgusJwafAkDwU-bW4Z_1UgfxLPBatQ8DVjKrkj28tKwn9HhJOGqwUPk5H4bRFUtEcJCb0k/s640/Screen+Shot+2014-01-03+at+11.40.02.png" width="640" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
The binary should open up in <a href="https://www.hex-rays.com/products/ida/" target="_blank">IDAPro</a> or <a href="http://www.hopperapp.com/" target="_blank">Hopper</a> so you can disassemble and reverse the kernel further :)</div>
<div class="p1">
<br /></div>
<div class="p1">
Thanks...</div>
<div class="p1">
</div>
<ol>
<li> <a href="http://itsme.home.xs4all.nl/personal/me/" target="_blank">Willem Hengeveld</a> for his scripts and tools (decodeimg3 & lzssdec).</li>
<li><a href="http://www.amazon.co.uk/Mac-OS-IOS-Internals-Programmer/dp/1118057651" target="_blank">Jonathan Levin for the book OSX & iOS Internals</a>, an excellent reference.</li>
<li><a href="http://theiphonewiki.com/wiki/The_iPhone_Wiki:Community_portal" target="_blank">The iPhoneWiki</a>, best iOS resource on the www! </li>
</ol>
</div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-81458518677663957772013-11-05T18:18:00.000+00:002013-11-05T23:24:53.273+00:00OpenJailbreak, fuzzyDuck & iOS fuzzing...<h3>
<span style="color: yellow;">OpenJailbreak Project:-</span></h3>
<div>
<span style="color: yellow;"><br /></span></div>
At <a href="http://jailbreakcon.com/" target="_blank">JailbreakCon</a> 2013 in new york the launch of a new project "OpenJailbreak" was announced. The main purpose of OpenJailbreak is to create a central open source repository for all jailbreaking tools that are created when a Jailbreak release is developed. This should give developers, security researchers and Jailbreak teams the tools they need to keep jailbreaking sustainable for the future. At the moment there are a handful of projects running but as the initiative picks up more and more side projects are expected to flourish.<br />
<br />
As well as creating the the tools and providing the source, another stream has come from the OpenJailbreak project in the form of education and training. Each and every week a Jailbreak class is run. The goal of the project is for the class to create an untethered jailbreak from the members of the community that contribute to the classes each week. The class is held via Skype & IRC each Saturday at 1pm UTC and usually last around an 1-2 hours.<br />
<br />
Each week progress is discussed with individual members contributing their findings and passing on their knowledge to the group. So far this has been tools, crashes or anything they have found that is of interest to jailbreaking in general.<br />
<br />
The initial classes discussed the jailbreaking process and what will be required. Since then things have begun to pick up speed and time has been spent looking into fuzzing and creating various tools and wrappers that can automate the fuzzing process. The next step is to investigate the crashes that have been submitted and try to reverse engineer what is happening. Once this done it maybe possible find out if the crash is vulnerable and can be used for an exploit. More information on the classes can be found at the links below:<br />
<br />
<blockquote class="tr_bq">
<a href="http://www.reddit.com/r/jailbreak/comments/1nxoq7/openjailbreak_class/"><span style="font-family: Courier New, Courier, monospace;">http://www.reddit.com/r/jailbreak/comments/1nxoq7/openjailbreak_class/</span></a></blockquote>
<br />
<h3>
<span style="color: yellow;">fuzzyDuck automated iOS fuzzing tool:-</span></h3>
<div>
<span style="color: yellow;"><br /></span></div>
<div>
As fuzzing was topical I thought I would take a look into it and read the chapter on fuzzing from the <a href="http://www.amazon.co.uk/IOS-Hackers-Handbook-Charlie-Miller/dp/1118204123" target="_blank">iOS hackers handbook</a>. After reading this and listening into some of the discussion on #OpenJailbreak I decided to look into automating the process so that a test case could be fuzzed, tested with MobileSafari and then any crash copied to a directory for later review along with the fuzzed test case. I could then check it out and ensure it was reproducible across platforms and iOS versions.<br />
<br />
<span style="color: orange;"><b>Web Server</b></span><br />
<br />
I decided that the best way to do this was probably going to be on the device, the downside of this is you need a Jailbroken device but it does provide you plenty of flexibility in copying the crash.plist and the test case to where you want in order to investigate further. A couple of people were looking at using python as a web server on the device which seemed feasible as you could simply use:<br />
<b><br /></b>
<br />
<blockquote class="tr_bq">
<b><span style="color: lime; font-family: Courier New, Courier, monospace;">#python -m SimpleHTTPServer 8080</span></b></blockquote>
<br />
This would create a web server from the directory your in, you can then serve up the test case and run it via MobilSsafari. e.g. simply opening:<br />
<br />
<blockquote class="tr_bq">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>http://localhost:8080/myTestCase.mov</b></span></blockquote>
<br />
After trying this I found that python wasn't the best option, it was causing the .mov file to not play in MobilSafari. Serving the same content to normal desktop Safari from the device was fine and the .mov files seemed to play ok. I don't know why this was happening but decided to look for another httpd daemon to serve up the test cases on the device. It didn't take long to find lighttpd which is a very light weight http server (as the name suggests) and is available from cydia.<br />
<br />
When I started the lighttpd daemon this and tried to access a .mov file I had created using the camera on the device it played perfectly via MobileSafari on device. Cool, I grabbed another mov from the <a href="http://support.apple.com/kb/ht1425" target="_blank">Apple Support site</a> and tried to spin that up using lighttpd and MobileSafari on device. This didn't play in mobile safari but did on desktop safari... which I *think* was important. I noticed that if you have a mov file you are going to fuzz it should probably play before it is fuzzed. This isn't necessarily the gospel (just my findings), but if the .mov file your testing with is failing to play before it gets to the interesting bit in the file you have fuzzed, then your fuzzing is going to be useless. I think it is probably safe to say if the mov file plays then it is a good candidate to fuzz with and you will have more chance of crashing.<br />
<br />
<span style="color: orange;"><b>Fuzzer</b></span><br />
<div>
<br /></div>
Now I had a webserver I needed to create a script that would run, mutating my test case and then launching it in Mobile Safari. If it caused a crash then the crash dump and the mutated test case should be copied to a crashes directory. This is pretty much how the iOS Hackers Handbook does it so I thought I would give it a go. In the book Charlie Miller is using python to write his own fuzzer. After not having much luck with python earlier and reading that it had performance issues running on iOS I thought it would be better to use <a href="http://caca.zoy.org/wiki/zzuf" target="_blank">zzuf. Zzuf</a> had been discussed in the classes and a few others were having luck with it so gave it a go. I'm not sure where it came from but I managed to find a copy of a zzuf that had been built for iOS. I believe it was compiled for ARM by comex so props to him for that!<br />
<br />
zzuff takes the original test case mutates it and then outputs it to another file. As well as giving it the input file and output file you can specify a seed and ratio for mutation. The ratio I am using in my script was suggested by <a href="https://twitter.com/compiledEntropy" target="_blank">compiledEntropy</a>, but if you need to you can play with this and change it around to see what results you get, the more you mess with it the longer it may take to generate a test case. This is the command I use to create test cases:<br />
<br />
<blockquote class="tr_bq">
<b><span style="color: lime; font-family: Courier New, Courier, monospace;">#zzuf -s $RANDOM -r 0.0001:0.001 < originalTestCase.mov > mutatedTestCase.mov</span></b></blockquote>
<br />
<span style="color: orange;"><b>Testing</b></span><br />
<div>
<br /></div>
After the test case is created I needed a way to test it, iOS Hackers Handbook to the rescue (again)! The simplest way to test this is using a tool called sbopenurl. Simply passing it a URL it will fire MobileSafari and inject the URL to it. This tool is available from the cydia package com.innoying.sbutils. The command is simply:<br />
<br />
<blockquote class="tr_bq">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>#sbopenurl http://localhost:3000/mutatedTestCase.mov</b></span></blockquote>
<br />
I know others had tried to create web pages that auto ran the test case but this seemed to fail. Mobile Safari seems to demand input from the user before playing so it wouldn't work in an automated fashion.<br />
<br />
<span style="color: orange;"><b>Crash Dumps</b></span><br />
<br />
Now I had a way to serve the test cases (lighttpd), create the test cases (zzuf) and open the test cases (sbopenurl). The final step was to check for crashes and put it into one big loop to run and run! It seems that nearly all test crashes eventually end up in:<br />
<br />
<br />
<blockquote class="tr_bq">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>/var/mobile/Library/Logs/CrashReporter/</b></span></blockquote>
<div class="p1">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b><br /></b></span></div>
<div class="p1">
I'm not entirely sure how they get there though, it seems after a Kernel Panic the kernel panic logs are initially created in the directory below:</div>
<div class="p1">
<br /></div>
<div class="p1">
</div>
<blockquote class="tr_bq">
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>/var/logs/CrashReporter/</b></span></blockquote>
<div class="p1">
<br /></div>
<div class="p1">
When you navigate to Settings > General > About > Diagnostics & Usage > Diagnostics & Usage Data on the device the crash logs are copied into the directory previously mentioned:</div>
<div class="p1">
<b style="color: lime; font-family: 'Courier New', Courier, monospace;"><br /></b></div>
<blockquote class="tr_bq">
<b style="color: lime; font-family: 'Courier New', Courier, monospace;">/var/mobile/Library/Logs/CrashReporter/</b></blockquote>
</div>
<div>
<b style="color: lime; font-family: 'Courier New', Courier, monospace;"><br /></b></div>
<div>
I couldn't work out what was doing this, I looked through the preferences app and there seems to be an instance method cleanupTimer that is invoking crash_mover. I tried to run crash_mover manually and by starting the launch daemon (com.apple.crash_mover) but this didn't work. In the end I gave up and decided to just check both directories for logs and copy them out. I would have preferred to aggregate them all in one directory using an 'OEM' supplied method like crash_mover but this will have to do for now.</div>
<div>
<br /></div>
<div>
<span style="color: orange;"><b>Recovering</b></span></div>
<div>
<br /></div>
<div>
After running my script for a few days I soon realised that I was getting kernel panic, which was good but it meant that my testing stopped until I manually started the script again. I wanted to test all day & night, just checking the results at the end of the day. This wasn't going to be too difficult as I could simply create a launch daemon to run on reboot. The xml below created the launch daemon and it is then installed via fuzzyDuck tool:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5YJd2QyYEG1Lnh5nGcdhKCpQCg_H5FyAODkvrlEQvV0UaQiS8cygWdaiYaDaWO6qXaJAq7Rhu8FYqAfuscE8BNSADbz4W4kb5iz7Bw_xI3uixHjUAoAILGJfabi5zb_fmc6o3WzTHbmI/s1600/Screen+Shot+2013-10-27+at+21.02.21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5YJd2QyYEG1Lnh5nGcdhKCpQCg_H5FyAODkvrlEQvV0UaQiS8cygWdaiYaDaWO6qXaJAq7Rhu8FYqAfuscE8BNSADbz4W4kb5iz7Bw_xI3uixHjUAoAILGJfabi5zb_fmc6o3WzTHbmI/s400/Screen+Shot+2013-10-27+at+21.02.21.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://ghostbin.com/paste/wksay">https://ghostbin.com/paste/wksay</a></div>
<div>
<br /></div>
<div>
<span style="color: orange;"><b>House Keeping and Install</b></span></div>
<div>
<span style="color: orange;"><b><br /></b></span></div>
<div>
I wanted fuzzyDuck to be easy for anyone to use, so it also includes a number of steps to check for required software and install if necessary as well as some fairly verbose output. I think overall it is a fairly useful tool for a beginner to play with. To get fuzzy duck grab it from the github link below:</div>
<div>
<br /></div>
<blockquote class="tr_bq">
<a href="https://github.com/isa56k/fuzzyDuck"><span style="font-family: Courier New, Courier, monospace;">https://github.com/isa56k/fuzzyDuck</span></a></blockquote>
<div>
<br /></div>
<div>
The readme.MD contains the instructions on how to install. Any questions fire them over on twitter or IRC to @isa56k =)</div>
<div>
<br /></div>
<div>
Now to try understand WTF the crash dumps are telling me.... </div>
<div>
<br /></div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-32466271864300954272013-09-09T09:45:00.002+01:002013-09-09T09:45:57.809+01:00Swerving 'Root' detection on Android...<span style="font-family: Arial, Helvetica, sans-serif;">Last week I was having problems with an Android application that had root detection built in. I don't do a great deal with Android so it's not something I have had to look at before. A user at work had 'rooted' their device to tweak it a little and disable a load of 'bloatware' which was apparently causing performance issues.</span><br />
<div>
<br />
Once they had rooted it one of their key applications stopped working as it appeared to be doing some 'root' detection, having looked at iOS jailbreak detection and defeated that for some apps I decided to have a crack and see if something similar could be done. I have played around with Android Debugging Bridge (adb) before so already had the Android SDK installed.<br />
<br />
First up was grabbing a copy of the .apk from the device, this was pretty easy as I could list the apps via adb shell and then use adb pull to copy the .apk across to my laptop. Simples.<br />
<br />
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ adb shell</b></span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>shell@mako:/ $ pm list packages -f | grep <name of application></b></span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ adb pull <path to .apk></b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrRzm4q8Nx3ID7MxljvKagmFuTKWVCl1DnDBIHyl0IqKxD464h3sR_kEV6Ffi7zBKowQQU2NuO8wBblqO0IL3_gYazq6m19xK9sYdJYOCwKZ86741Y6J8_lu4zySwD6xHwv0fKjYt4pEU/s1600/Screen+Shot+2013-09-06+at+16.41.58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrRzm4q8Nx3ID7MxljvKagmFuTKWVCl1DnDBIHyl0IqKxD464h3sR_kEV6Ffi7zBKowQQU2NuO8wBblqO0IL3_gYazq6m19xK9sYdJYOCwKZ86741Y6J8_lu4zySwD6xHwv0fKjYt4pEU/s320/Screen+Shot+2013-09-06+at+16.41.58.png" width="320" /></a></div>
<br />
Once I had a copy of the .apk I just needed to decompile it to work out what was going on. A quick google and I found 'apktool'. I installed it and then ran against the .apk which generated a load of directories and crucially some smali code. Smali is an assembler/disassembler for the dex format used by davlik (Android), more info on it here <a href="https://code.google.com/p/smali/">https://code.google.com/p/smali/</a>.<br />
<br />
To disassemble the application it was pretty easy, no decrypting 'FairPlay' like you see on iOS:<br />
<br />
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ apktool d <path to .apk></b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuCTTq3AkKkPnjo9A_nmRKPD-uZfNKHbidjg0AcHe60Ysn1ri6oM6u-rj9p5dJ__TG0JzXu_XOGBtWLArkwH9oxNfAz_8Jxgt5Zy1Mmef4tabTOWkkyLREwUAbHnzYulpaiDbjn3RqNNQ/s1600/Screen+Shot+2013-09-06+at+16.36.27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="114" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuCTTq3AkKkPnjo9A_nmRKPD-uZfNKHbidjg0AcHe60Ysn1ri6oM6u-rj9p5dJ__TG0JzXu_XOGBtWLArkwH9oxNfAz_8Jxgt5Zy1Mmef4tabTOWkkyLREwUAbHnzYulpaiDbjn3RqNNQ/s320/Screen+Shot+2013-09-06+at+16.36.27.png" width="320" /></a></div>
<br />
A quick grep of the .smali files for the keyword 'rooted' and I was able to find all the files that might be related to the root detection, this was a bit of guess work but I got lucky! I<span style="font-family: 'Helvetica Neue Light', HelveticaNeue-Light, helvetica, arial, sans-serif;"> was soon able to find a couple of methods called 'isRootedDevice' and 'isRooted' in a couple of the smali files. </span><span style="font-family: 'Helvetica Neue Light', HelveticaNeue-Light, helvetica, arial, sans-serif;">Had the developers called the method something else it might not have been quite so easy. </span></div>
<div>
<br />
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$grep -ri rooted</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOKAS0ruR9kzPNw7ZNcDM9XCtVRB8xkh4d5mNKluy-f5ElUc0LJReczuA_QJHNa-w5mq2WQt3fsOdHTIlFup0L3BpD0GWsxVmcstU4XdahExphEVIHddOpKtJeqDm0e_mCSCmhYNUUsdY/s1600/Screen+Shot+2013-09-06+at+16.55.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOKAS0ruR9kzPNw7ZNcDM9XCtVRB8xkh4d5mNKluy-f5ElUc0LJReczuA_QJHNa-w5mq2WQt3fsOdHTIlFup0L3BpD0GWsxVmcstU4XdahExphEVIHddOpKtJeqDm0e_mCSCmhYNUUsdY/s320/Screen+Shot+2013-09-06+at+16.55.49.png" width="320" /></a></div>
<br />
This looked promising so I opened each smali file and searched for 'isRooted'. </div>
<div>
<br /></div>
<div>
From examining the code I worked out that the developers were looking for the file /system/app/Superuser.apk and also something called 'test-keys'.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnprWAnS-B589nELTxvPLM0i-wrQVRU70XYBkZcVwcKb3lRiz0sTAclPDkL1zNC-Fypby1cLmrDh2xPBfU1Hkyq5Qf3Ik6LogXfSgLS9kJOydqnh-mWRJ4ZLGolkqGAqKXGW64buezgyY/s1600/Screen+Shot+2013-09-06+at+17.06.56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnprWAnS-B589nELTxvPLM0i-wrQVRU70XYBkZcVwcKb3lRiz0sTAclPDkL1zNC-Fypby1cLmrDh2xPBfU1Hkyq5Qf3Ik6LogXfSgLS9kJOydqnh-mWRJ4ZLGolkqGAqKXGW64buezgyY/s320/Screen+Shot+2013-09-06+at+17.06.56.png" width="221" /></a></div>
<br />
I googled what Superuser.apk is and found a few posts on StackOverflow and the following blog:<br />
<br />
http://www.simonroses.com/2013/06/appsec-build-rooted-detection-in-your-app/<br />
<br />
It seems Superuser.apk is used to manage what applications have su (root) access. It would make sense for the developer to check for this as I guess it is used on most rooted devices (a bit like cydia). If I could change the .apk file that the app was looking for I might be able to defeat this step. The other item that is being checked is 'Test-Keys', apparently this is a generic key for signing packages.<br />
<br />
I modified the smali code so that the application would only report it was rooted if it found a random apk or string. As these would never be found the device would not report that it was rooted.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmtV05f9OkkxHGiD9ePOowO-Ki4lozCB2zrXsngzFa0Wi7-jqxQ67-OvwjG0l_46zojsJfjgQpsRlArhngEg7RD8u-_6dLrUGwwsDMoHw-WmQL7rgaVhE86tDikVrVuxWuV6gdfm5i4cY/s1600/Screen+Shot+2013-09-06+at+17.12.17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmtV05f9OkkxHGiD9ePOowO-Ki4lozCB2zrXsngzFa0Wi7-jqxQ67-OvwjG0l_46zojsJfjgQpsRlArhngEg7RD8u-_6dLrUGwwsDMoHw-WmQL7rgaVhE86tDikVrVuxWuV6gdfm5i4cY/s320/Screen+Shot+2013-09-06+at+17.12.17.png" width="320" /></a></div>
<br />
Next I used the apktool to recompile the binary:<br />
<br />
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ apktool b <directory with source smali in></b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-jVaplvc5yNnK0x7L3dxDHp_2WPE3iSDdO3h_c01cc4rZaLyKCIR-E3fvLAB_G5-irjW8cEDWyNm7RljPB_Hjhj5DNTBKXYZdXuffOPs4UZ1Y0zUKgfp22oVt-nePUzT92KpYCojUY1Y/s1600/Screen+Shot+2013-09-06+at+17.15.38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-jVaplvc5yNnK0x7L3dxDHp_2WPE3iSDdO3h_c01cc4rZaLyKCIR-E3fvLAB_G5-irjW8cEDWyNm7RljPB_Hjhj5DNTBKXYZdXuffOPs4UZ1Y0zUKgfp22oVt-nePUzT92KpYCojUY1Y/s320/Screen+Shot+2013-09-06+at+17.15.38.png" width="320" /></a></div>
<br />
Now I had a package, I could install it onto my device using adb. I tried to install but got the error 'Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]':<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7B4b1c4wk9zSa4tQgYqHsvf5ByBLMFcyg4ZvaQh5WF8beFdMLBMMhZg8MgpcCHLyfH7QtDW2NlaXRqVu3WVhGJZjCMdhMBLStD0D1Yjm_ETeoeH8UNZ_p9QSJiTg_EoFx47DdxWH_YpM/s1600/Screen+Shot+2013-09-06+at+17.18.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="64" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7B4b1c4wk9zSa4tQgYqHsvf5ByBLMFcyg4ZvaQh5WF8beFdMLBMMhZg8MgpcCHLyfH7QtDW2NlaXRqVu3WVhGJZjCMdhMBLStD0D1Yjm_ETeoeH8UNZ_p9QSJiTg_EoFx47DdxWH_YpM/s320/Screen+Shot+2013-09-06+at+17.18.15.png" width="320" /></a></div>
<br />
It seems I need to sign the package before Android will let me install it. A bit of 'Google Power' and I found that you need to sign the package with javasigner. First of all I would need a certificate so I created a key store and cert with key tool and then signed as below:<br />
<br />
<span style="color: lime;"><b style="font-family: 'Courier New', Courier, monospace;">$ </b><span style="font-family: Courier New, Courier, monospace;"><b>keytool -genkey -v -keystore testing.keystore -alias testing -keyalg RSA -keysize 2048 -validity 10000</b></span></span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b><br /></b></span>
<span style="color: lime; font-family: Courier New, Courier, monospace;"><b>$ jarsigner -verbose -keystore testing.keystore -digestalg SHA1 -sigalg MD5withRSA <path to apk> testing</b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIMPyIWQapUofspk2fwX1xyIYNsIpfWZ-pS92WJU0aAD9N0S4Sdky3SqPTuU2RfzQUPzRr4xoCJcyemNT1uNy_LCbv_pCUoWocKIQDEO1ptYKp-RP0teSGtHemHtLMLBBlxOAzvNWCWnU/s1600/Screen+Shot+2013-09-06+at+17.23.58.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIMPyIWQapUofspk2fwX1xyIYNsIpfWZ-pS92WJU0aAD9N0S4Sdky3SqPTuU2RfzQUPzRr4xoCJcyemNT1uNy_LCbv_pCUoWocKIQDEO1ptYKp-RP0teSGtHemHtLMLBBlxOAzvNWCWnU/s320/Screen+Shot+2013-09-06+at+17.23.58.png" width="320" /></a></div>
<br />
Once this was done I installed on a rooted device and bingo... no prompt to say the device was rooted!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcmTQ_IPvi0ylKfqP0lTxisLQwGlMe-whVMJBSVZfUwgDJRiJ4hInPpS7AzPNAqbJV8Jhsnqp-YGqufsybflEL4kIbGBJzWft88olqGpM3DulVtSxjiA94bSOdwvdWGAVuHbawharMxQQ/s1600/Screen+Shot+2013-09-06+at+17.27.34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="71" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcmTQ_IPvi0ylKfqP0lTxisLQwGlMe-whVMJBSVZfUwgDJRiJ4hInPpS7AzPNAqbJV8Jhsnqp-YGqufsybflEL4kIbGBJzWft88olqGpM3DulVtSxjiA94bSOdwvdWGAVuHbawharMxQQ/s320/Screen+Shot+2013-09-06+at+17.27.34.png" width="320" /></a></div>
<br />
I was surprised how easy this was, I had expected it to be a little more challenging. It's quite easy to see how simple it would be to modify a binary add a trojan or some malware and then distribute.</div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-27997229287934291872013-09-05T15:47:00.002+01:002013-09-07T07:33:19.958+01:00Dangerfield Bogotas...Over the last few months I have been trying my hand at lock picking, it's a life skill that one day I'm sure will either get me out of trouble or land me in it. Either way when the barrel rolls and you have got non destructive keyless entry it's a buzz!<br>
<br>
I started off with a <a href="http://www.ukbumpkeys.com/product_SouthOrd-22pc-Slimline-(Euro)-Lock-pick-set_1890_index.php" target="_blank">22pc Southord</a> set from <a href="https://twitter.com/ukbumpkeys" target="_blank">@ukbumpkeys</a> and some <a href="http://www.ukbumpkeys.com/product_Both-Clear-Practice-Locks_1936_index.php" target="_blank">Brockhage practice locks</a>. One of the locks is a 5 pin standard lock and the other is also 5 pin but has some spool pins. On pretty much the first attempt I managed to pick the non spool pined lock, alas this seems to have been a fluke! I haven't been able to do it again, until now.<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOaTZMOiUegJJjVSZbh2gnmyoap9z2l3tZNhzXGM6oCovGfwpRphyvd3_LfTzYb-245GosG5oS2gDrD7Sv6btS1gjUYXANbBs9tx-lBeztiQdL1vMX2LfCW5Mj2juQnd7DuY6wfquVKlg/s1600/IMG_0162.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOaTZMOiUegJJjVSZbh2gnmyoap9z2l3tZNhzXGM6oCovGfwpRphyvd3_LfTzYb-245GosG5oS2gDrD7Sv6btS1gjUYXANbBs9tx-lBeztiQdL1vMX2LfCW5Mj2juQnd7DuY6wfquVKlg/s320/IMG_0162.JPG" width="240"></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU6ioGXwD9npS9Q08FaHN2zEzrMO31YozUH6kgrKyETbH_aSU3Djx2X_J2CPdlQ1jaA4Xf6AXxgu36iesAO4XWp2A17FN0bMDCcg1gWMVttqrrFmnQxmXUcrLZQ86m7SaUxmf3R4B0OXE/s1600/IMG_0163.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU6ioGXwD9npS9Q08FaHN2zEzrMO31YozUH6kgrKyETbH_aSU3Djx2X_J2CPdlQ1jaA4Xf6AXxgu36iesAO4XWp2A17FN0bMDCcg1gWMVttqrrFmnQxmXUcrLZQ86m7SaUxmf3R4B0OXE/s320/IMG_0163.JPG" width="240"></a></div>
<br>
<br>
<br>
I purchased a couple of sets of <a href="http://www.ukbumpkeys.com/product_Dangerfield-Bogota-Lock-Picks_2112_index.php" target="_blank">'Dangerfield Bogotas'</a> from <a href="https://twitter.com/ukbumpkeys" target="_blank">@ukbumpkeys</a>. They have had them specially made and they are awesome. They are really tiny and fit perfectly in your wallet. The finish on them is excellent, they seem to be made of some well polished steel which allows them to roll into and out of the lock and over the pins really easily, great for raking. Another neat feature is the slight twist that they have in them, I find this helps to get them into a lock a lot easier than a normal pick.<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4z_PxqTWEzGJGPgySARC2-hwioTbSn19zfrnOFXXpUEPVt1ppc6HvODf0-ZcyVumq1U4hOtol_cDLGxybsJWhbEDRZ5F0dqt1cC8joRsstdb3Lcx0vuXte103yN0OHAFWJMMgMYBXaqg/s1600/IMG_0159.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4z_PxqTWEzGJGPgySARC2-hwioTbSn19zfrnOFXXpUEPVt1ppc6HvODf0-ZcyVumq1U4hOtol_cDLGxybsJWhbEDRZ5F0dqt1cC8joRsstdb3Lcx0vuXte103yN0OHAFWJMMgMYBXaqg/s320/IMG_0159.JPG" width="240"></a></div>
<br>
<br>
<br>
So far I have been able to rake my two practice locks easily, one of which has spool pins and have never been able to get into until now (see red spool pins in picture below).<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjebtU4J1nI4hyLN5PfXAelO_TScJNz1fTzVDcruWfXaVZxPpn34nHVpTrMtDPHPcT7eSLG_RW7VdcAz597815oczDHMRvX2BGnBLzr3CRQm-PGjFwEMDrh9Y5goBtU8VQ1l7jRwtT9KIc/s1600/IMG_0164.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjebtU4J1nI4hyLN5PfXAelO_TScJNz1fTzVDcruWfXaVZxPpn34nHVpTrMtDPHPcT7eSLG_RW7VdcAz597815oczDHMRvX2BGnBLzr3CRQm-PGjFwEMDrh9Y5goBtU8VQ1l7jRwtT9KIc/s320/IMG_0164.JPG" width="240"></a></div>
<br>
<br>
I'm no expert but I have been able to pick the 'real' lock below pretty easily with the Bogota's. It is a lock that is in use, a local UPC conservatory and windows company near to me use them!! Within minutes of trying out the Bogotas it went no problem.<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCKwYUbvz2aaD0BtAszZWLBIv0XZEpgMBXDx-tR4V9AEtzmeBQrB7-MJEN_Zjp7_GoPQoYZiIHS9efoaYZSoFDbfZWaeBRploULt3RwWw4eigqOq9kRLql_LotAikdUMshEtZEi8jWsjc/s1600/IMG_0166.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCKwYUbvz2aaD0BtAszZWLBIv0XZEpgMBXDx-tR4V9AEtzmeBQrB7-MJEN_Zjp7_GoPQoYZiIHS9efoaYZSoFDbfZWaeBRploULt3RwWw4eigqOq9kRLql_LotAikdUMshEtZEi8jWsjc/s320/IMG_0166.JPG" width="320"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br></div>
Next up is 'Bumping' I have purchased a large set of Bumpkeys from <a href="https://twitter.com/ukbumpkeys" target="_blank">@ukbumpkeys</a> so will be trying to perfect this skill in the coming weeks. I need to get some more practice locks and have a go with them as I think it is all too easy to to destroy your own locks. Not something you want to do to your own backdoor!<br>
<br>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgDqF6rawwjKcrDS07GJRQ6v8w-oa-zWMDP7xAszyrPeSpiMiKJdxkeiqKPGpWbjoYjU36UT5_3ecLSF3VFLc74_4RQoFDSLWwMR4yKbdykxnUsjHU_DgjZkpc65t9WOVbN-SefPxmalo/s1600/IMG_0167.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgDqF6rawwjKcrDS07GJRQ6v8w-oa-zWMDP7xAszyrPeSpiMiKJdxkeiqKPGpWbjoYjU36UT5_3ecLSF3VFLc74_4RQoFDSLWwMR4yKbdykxnUsjHU_DgjZkpc65t9WOVbN-SefPxmalo/s320/IMG_0167.JPG" width="320"></a></div>
<br>
Check out <a href="http://www.ukbumpkeys.com/">www.ukbumpkeys.com</a> for tools and other lock picking gear!<br>
<br>
<br>isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-48763046309012449532013-08-06T08:00:00.005+01:002013-08-06T08:01:22.802+01:00iOS7 Error 4027Quick post....<br />
<br />
If you get the error below when trying to upgrade your iPhone to iOS7 via the beta program:<br />
<br />
"The iPhone XXXX could not be restored. An unknown error occured (4027)"<br />
<br />
You need to install the "Mobile Device Package Installer" available from the dev centre.<br />
<br />
<br />isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-38118321021269873122013-07-30T19:44:00.000+01:002013-07-30T19:44:11.970+01:00VMWare Fusion 5 DHCP Assigned Static IP...In order to have DHCP assigned Static IP addresses on a Fusion 5 Virtual machine you need to modify the following file:<br />
<br />
<div style="text-align: center;">
<b><span style="color: yellow;">/Library/Preferences/VMware\ Fusion/vmnet8/dhcpd.conf</span></b></div>
<br />
The contents of the file should look like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB1kbw2Mmsbu935TuMG4_83s2deyEFST0HAunWLMFx_pnZOK9oml16ocnmk-HBnbrq7SphF0dXoICLeB3TXAV22mNRz_6IrSrIvk2i7KYOib_ouUl8V_Ni8enbfbKIywX5VXYHmRxyOCs/s1600/Screen+Shot+2013-07-30+at+19.33.26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB1kbw2Mmsbu935TuMG4_83s2deyEFST0HAunWLMFx_pnZOK9oml16ocnmk-HBnbrq7SphF0dXoICLeB3TXAV22mNRz_6IrSrIvk2i7KYOib_ouUl8V_Ni8enbfbKIywX5VXYHmRxyOCs/s640/Screen+Shot+2013-07-30+at+19.33.26.png" width="576" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
To add a reserved IP you will need the hostname and mac address of your host.<br />
<br />
Under the section "DO NOT MODIFY SECTION" add the following:<br />
<span style="color: yellow;"><br /></span>
<span style="color: yellow;">host <</span><b style="color: yellow;">YOURHOSTNAME</b><span style="color: yellow;">> {</span><br />
<span style="color: yellow;"><span class="Apple-tab-span" style="white-space: pre;"> </span>hardware ethernet <<b>YOUR MAC ADDRESS</b>>;</span><br />
<span style="color: yellow;"><span class="Apple-tab-span" style="white-space: pre;"> </span>fixed-address <<b>THE IP TO ASSIGN</b>>;</span><br />
<span style="color: yellow;">}</span><br />
<br />
It should look something like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb4PycJ75IN_sx82Z62LwK8jzD7cmkkXbaNSzpHdsAIuVI5lFlLNlM0SrbwqW6qjeIvkMTSDmWbyTc-etTuEcbiHivcg0_6JEWIeVp24BuAJV7L7AeN_ZTUHh-szRg_AyZf3iGA2w7LZs/s1600/Screen+Shot+2013-07-30+at+19.19.42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgb4PycJ75IN_sx82Z62LwK8jzD7cmkkXbaNSzpHdsAIuVI5lFlLNlM0SrbwqW6qjeIvkMTSDmWbyTc-etTuEcbiHivcg0_6JEWIeVp24BuAJV7L7AeN_ZTUHh-szRg_AyZf3iGA2w7LZs/s640/Screen+Shot+2013-07-30+at+19.19.42.png" width="640" /></a></div>
<br />
My hostname is kingpin.<br />
<div>
My MAC Address is 00:0C:29:70:0D:4B.</div>
<div>
The IP I want to assign is 172.16.137.100</div>
<div>
<br /></div>
<div>
<span style="color: lime;">Worth noting, when choosing an IP to assign it must be from the subnet specified further up in the file and not be from the range.</span><br />
<br />
For example, in my config file in the "DO NOT MODIFY SECTION" I have:</div>
<div style="text-align: left;">
<b style="color: yellow; font-size: small;"><br /></b>
<b style="color: yellow; font-size: small;">subnet 172.16.137.0 netmask 255.255.255.0 </b><span style="color: yellow; font-size: x-small;">{</span></div>
<div>
<b style="color: yellow; font-size: small;"> range 172.16.137.128 172.16.137.254;</b><br />
<div style="text-align: left;">
<span style="color: red; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>option broadcast-address 172.16.137.255;</span></div>
<div style="text-align: left;">
<span style="color: red; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>option domain-name-servers 172.16.137.2;</span></div>
<div style="text-align: left;">
<span style="color: red; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>option domain-name localdomain;</span></div>
<div style="text-align: left;">
<span style="color: red; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>default-lease-time 1800; # default is 30 minutes</span></div>
<div style="text-align: left;">
<span style="color: red; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>max-lease-time 7200; # default is 2 hours</span></div>
<div style="text-align: left;">
<span style="color: red; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>option netbios-name-servers 172.16.137.2;</span></div>
<div style="text-align: left;">
<span style="color: red; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>option routers 172.16.137.2;</span><br />
<span style="color: red; font-size: x-small;">}</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I have to choose an IP that is within the 172.16.137.0/24 range and is not being used in the current DHCP scope.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
172.16.137.1 and 172.137.137.2 are used by VMWare and the IP's from 172.16.137.128 - 172.16.137.254 are reserved in the DHCP scope.<br />
<br />
That leaves me with any IP from 172.16.137.3 - 172.16.137.127.<br />
<br />
I chose 172.16.137.100 as it is easy to remember and I can start counting up from there.<br />
<br />
Simples!</div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
</div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-36586925082257353312013-07-19T13:51:00.002+01:002013-07-23T10:28:32.849+01:00Bumpin' Swipe Locks...An iOS application I use a fair bit has a simple swipe code authentication. The basic idea is you log in every 24 hours with your username and password, then for the next 24hrs you can use a swipe code rather than have to re-type your password each time you want to view the contents of the app. If you get the swipe code wrong more than twice, you also have to enter your password again.<br />
<br />
I decided to take a look at how this worked and see if you could fudge the app so that you never had to enter your password (after initial setup) so it wouldn't time out after 24hrs and if I got the swipe wrong (I've not long had my new hands) I could have more than 2 attempts.<br />
<br />
First of all I used clutch (lazy way) to decrypt the binary and then class-dump-z to dump out the classes and methods, I'm not going to go into any detail here on these two tools. There is plenty out there if you <a href="https://www.google.co.uk/search?q=clutch+class-dump-z&oq=clutch+class-dump-z&aqs=chrome.0.57j62l3.4741j0&sourceid=chrome&ie=UTF-8" target="_blank">google</a> it!<br />
<br />
Looking through the class-dump-z output I could see a couple of class's that looked interesting one was called XXX<b>Security</b> and the other was called XXX<b>SecurityKeys</b>... hmm.<br />
<br />
After a little bit of tinkering with theos (a new favourite tool) I was able to get some additional debug on both of these classes as they were being called. If you use logify as below, it will will create you the output to go into your tweak file.<br />
<br />
<div style="text-align: center;">
<b><span style="color: cyan;">$ /opt/theos/bin/logify.pl <i>yourclass.h</i> > Tweak.xm</span></b></div>
<br />
Once the tweak is installed onto the device it will log all the output into syslog. It logs the class and method as they are called and the values returned, pretty handy.<br />
<br />
I started to use the application and could see in syslog that as I swiped across the tiles the application would login and call the following method:<br />
<br />
<br />
<div class="p1">
<b><i><span style="color: yellow;"> -[<XXXSecurity: 0x1d8d18d0> canLoginWithSwipe] = 1</span></i></b></div>
<br />
Which was then closely followed by:<br />
<br />
<div class="p1">
<b><i><span style="color: yellow;">-[<XXXSecurity: 0x59405c0> loadPasswordWithSwipeCode:147A]</span></i></b></div>
<div class="p1">
<b><i><br /></i></b></div>
<div class="p1">
After trying a few more swipes it soon became obvious the swipe pad was laid out as below:</div>
<div class="p1">
<br /></div>
<div class="p1">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7j_1QVA6qZtxVkrYga0_YHdVGFM4dcsJCwopiBf6DAdeuR86eFib9LeicZgb1zhcoDmQOARjHQSdUdsbpDCSWiiri77g2UHn5l9l03MDStKFIYaoC-Wv4U7BuDhuc-ClGEy75YXWvNac/s1600/Untitled+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7j_1QVA6qZtxVkrYga0_YHdVGFM4dcsJCwopiBf6DAdeuR86eFib9LeicZgb1zhcoDmQOARjHQSdUdsbpDCSWiiri77g2UHn5l9l03MDStKFIYaoC-Wv4U7BuDhuc-ClGEy75YXWvNac/s200/Untitled+2.jpg" width="177" /></a></div>
</div>
<div>
<br /></div>
So if I could get [XXXSecurity canLoginWithSwipeCode] to always return true (1) I would be rockin' the dance floor. This was pretty simple and is a lot like the removing simple jailbreak detection post I did perviously. I created the tweak below and installed:<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgltF_0IAJFbWqpMGS4JzqHbPa4L5EGIwH6NsRzbJGEeBS8rI5O-muRxPXBkgVu0JA-XfkdY_We1vAfhxiTnpEya56TCFai7FxNsU8a_OmkOR1vZ8HcDHuVcKH1-2kwIFFp4sPn1u3ToMA/s1600/Screen+Shot+2013-07-16+at+21.15.08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="68" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgltF_0IAJFbWqpMGS4JzqHbPa4L5EGIwH6NsRzbJGEeBS8rI5O-muRxPXBkgVu0JA-XfkdY_We1vAfhxiTnpEya56TCFai7FxNsU8a_OmkOR1vZ8HcDHuVcKH1-2kwIFFp4sPn1u3ToMA/s400/Screen+Shot+2013-07-16+at+21.15.08.png" width="400" /></a></div>
<div>
<br />
Once compiled and installed this worked a treat I could keep trying my swipe code.<br />
<br />
After looking at the syslog output for a while I began to wonder what would happen if I used cycript to call the various methods, would the app just pop open? If I could do this I could then attempt to brute force the swipe code by passing values to cycript to try? Swipe codes are pretty simple, theres not much entropy.<br />
<br />
I started to play around with cycript and wasn't really getting anywhere, so I began to google as this is a fairly common technique for hacking apps, Jailbreak tweakers do this a lot. After a short time googling I stumbled across this <a href="http://highaltitudehacks.com/ios/" target="_blank">blog</a> and also this <a href="http://resources.infosecinstitute.com/penetration-testing-for-iphone-applications-part-5/" target="_blank">blog</a> from Prateek Gianchandani, it was really useful but I wasn't getting anywhere so I dropped <a href="https://twitter.com/prateekg147" target="_blank">Prateek</a> a mail. Prateek responded and was able to point me in the right direction. My Objective C isn't great, I am at best a n00b (but learning fast). He explained that it looked like the method that was being called (see below) was an instance method and I needed to find the reference to the instance.<br />
<br />
<b><i><span style="color: yellow;">-[<XXXSecurity: 0x59405c0> loadPasswordWithSwipeCode:147A]</span></i></b><br />
<br />
A few more emails backwards and forwards, and a bit of digging in cycript, I eventually found that by calling the following the app would return the logged in users password...<br />
<br />
<b><span style="color: cyan;">cy# [[XXXSecurity sharedInstance]loadPasswordWithSwipeCode:@"147A"]</span></b><br />
<b><span style="color: cyan;">@"password123"</span></b><br />
<br />
If I supplied the wrong swipe code I got null back<br />
<br />
<b><span style="color: cyan;">cy# [[XXXSecurity sharedInstance]loadPasswordWithSwipeCode:@"1234"]</span></b><br />
<b><span style="color: cyan;">null</span></b><br />
<br />
So all I had to do was create a little bash script that would loop round a wordlist of swipe codes and when != null was returned I would have my password... simples!<br />
<br />
I knocked up the bash script below to brute force the swipe code and it returned the password quite quickly. Most swipe codes aren't that long so creating an effective wordlist isn't too hard.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8VQeUNVt0UMWZxjMhDyKy-7lUrzBPH0pMqTCYOzX1VSC4KTIMCpkdh-DWHAc6f2ZcW6gs8nDsn8EN3NhLsfmVjYhIL5KSnp3kLQycyRthPqaB1LGka_BYs276X1vXpnj8Qm1Pw0tD_I4/s1600/Screen+Shot+2013-07-16+at+21.50.11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8VQeUNVt0UMWZxjMhDyKy-7lUrzBPH0pMqTCYOzX1VSC4KTIMCpkdh-DWHAc6f2ZcW6gs8nDsn8EN3NhLsfmVjYhIL5KSnp3kLQycyRthPqaB1LGka_BYs276X1vXpnj8Qm1Pw0tD_I4/s400/Screen+Shot+2013-07-16+at+21.50.11.png" width="400" /></a></div>
<br />
<br />
The beauty of this attack via cycript is that even though the app has a password attempt limit of 10 attempts set, it's totally ignored when you use cycript to inject code into the runtime. The other methods aren't called so the app doesn't even know it has been abused or how many times the password has been tried.<br />
<br />
I decided to reset the swipe code and check that the bash script worked when I tried against a different swipe code, just incase there were any errors.<br />
<br />
As I did this I noticed a method being called that looked quite interesting, it looked like there was a specific method for for setting a new swipe code:<br />
<br />
<div class="p1">
<b><i><span style="color: yellow;">-[<XXXSecurity: 0x59405c0> setSwipeCode:0369AB]</span></i></b></div>
<br />
If I could call this and set my own swipe code without any verification of the old swipe code or users current passcode, I could then call the method "loadPasswordWithSwipeCode" with the new swipe code I had set and return the logged in users passcode... whoop whoop no more bruteforce required!!<br />
<br />
The following worked a charm and I had the users password:<br />
<br />
<b><span style="color: cyan;">cy# [[XXXSecurity sharedInstance]setSwipeCode:@"0000"]</span></b><br />
<b><span style="color: cyan;">cy# [[XXXSecurity sharedInstance]loadPasswordWithSwipeCode:@"0000"]</span></b><br />
<b><span style="color: cyan;">@"password123"</span></b><br />
<br />
I decided that I should probably disable the swipe code and only use a password from now on, but doing this didn't work. I could still set any swipe code and return the password. In fact this was probably worse as you even wouldn't know the swipe code had been changed.<br />
<br />
The only saving grace for this attack is that you need a Jailbreak for it to work else you cannot install cycript, ssh etc. Having said that I'm pretty sure there is probably some jailbreak 0day out there in the wild that hasn't been patched by Apple.</div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-21139208485314773572013-07-11T09:15:00.000+01:002013-07-12T07:55:08.402+01:00Remember to removePIE...A couple of weeks back I was reversing an app and trying to work out what it was doing. I had removed the encryption (the short hand way) using clutch and had the class-dump-z output, but this wasn't quite enough. I needed to go a bit deeper as I wanted to know a bit more about what was going on.<br />
<br />
I already had GDB installed on the device so I decided to spark the application up and attach to the running process. This all went well, I then set my self a couple of breakpoints which seem to be excepted. I hit C and continued to debug the app. Each time the app got to the point I was expecting it to stop it would just keep going. Hmmm odd, maybe GDB isn't working quite right, I'lll try LLDB.<br />
<br />
I configured LLDB to work remotely and started a session on my laptop, once again configuring the break points I wanted. Again the app just continued to run no problems, wtf. This was getting frustrating, had the developer configured some anti debug tactics. I had a look around and I wasn't seeing any <span style="background-color: #cccccc;">"<span style="font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 14px; line-height: 15.390625px; white-space: pre;">Segmentation fault: 11"</span></span> errors on attach so I assumed they hadn't. Both GDB and LLDB were just not stopping on any of the breakpoints I had set.<br />
<br />
After much searching, I came across another blogpost that simply said "Can you debug iOS applications if ALSR is set". A £2 coin hit the floor, boom. I had forgotten disable the ALSR protection. I downloaded removePIE from here <a href="https://github.com/peterfillmore/removePIE">https://github.com/peterfillmore/removePIE</a>, copied it to my device and ran against the app.<br />
<br />
Bingo, my breakpoints were being hit and working perfectly on both GDB and LLDB. I won't forget this again...<br />
<br />
If you want to know more about disabling ALSR and how it works check out the right up here <a href="http://www.securitylearn.net/2013/05/23/disable-aslr-on-ios-applications/">http://www.securitylearn.net/2013/05/23/disable-aslr-on-ios-applications/</a>.<br />
<br />
<br />isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com2tag:blogger.com,1999:blog-3167755028408409431.post-32834845222048386302013-07-02T08:30:00.000+01:002013-07-22T07:59:38.189+01:00BYOD - Build Your Own Device...Recently I have changed a few screens on iPhones, iPods and iPads, I have even got the wife doing them for friends and family. The idea was to look at starting this up as an additional service that the business could provide as well as just consultancy. Part of my research has required finding good parts at cheap prices, after a little bit of googling I quickly came across<a href="http://www.alibaba.com/" target="_blank"> www.alibaba.com</a>. The best way I can think of to describe the Ali Ba Ba website is "Amazon for Chinese manufacturers". There is literally tons of stuff up there that is all manufactured in China and sold at cheap prices, you can buy everything from Light bulbs to ride on electric cars for kids! My only recommendation is don't make out your interested in anything unless you really (really, really, really) want it. I get 2-3 mails a week offering me LED light bulbs from a girl called "Lucy Wu" that will not give up, her emails do provide a bit of light humor as she often tells some round the houses funny story about what she has been up to that week before asking if I want to buy "the best light bulbs in the world".<br />
<div class="p1">
<br /></div>
<div class="p1">
After a bit of searching around on "Ali Ba Ba" I found nearly all the standard parts you would expect, the typical ones you can find on ebay and amazon such as replacement screens, cameras, batteries, dock connectors etc. </div>
<div class="p1">
<br /></div>
<div class="p1">
Then I found these, an iPhone 4 logic board:</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo88vBK36Uf4mu7tFEx1A-MwwRAB1-tFdC8yVseI1Xb2tu1DBe5zL21Z-RtetzkYC-irb5yeV6_vINbsmhUYKLB7443LTyXxPMRNRQm3mrjzMeyzBwEtZm_y59BCVZelVPJm4hwBckdm0/s1600/Screen+Shot+2013-05-23+at+12.56.45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="154" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgo88vBK36Uf4mu7tFEx1A-MwwRAB1-tFdC8yVseI1Xb2tu1DBe5zL21Z-RtetzkYC-irb5yeV6_vINbsmhUYKLB7443LTyXxPMRNRQm3mrjzMeyzBwEtZm_y59BCVZelVPJm4hwBckdm0/s320/Screen+Shot+2013-05-23+at+12.56.45.png" width="320" /></a></div>
<div class="p1">
I dismissed it at first and thought that will never work, they will be fakes. Having ordered a few lcd screens and striking up a bit of a relationship with a supplier I decided to ask if they did the logic boards for devices and were they genuine, would they actually work? After a Skype chat the supplier assured me they would work and they were genuine and unlocked. The price of the boards vary but for a iPhone 4 16GB I was lookign at approx £150. Not a good price, but curiosity got the better of me and I decided to look for all the parts I would need to build a device from the ground up.</div>
<div class="p1">
<br /></div>
<div class="p1">
Quick trip over to <a href="http://www.ifixit.com/Teardown/iPhone+4+Teardown/3130/1" target="_blank">iFixit to find a teardown</a>, sure enough an exploded list of iPhone 4 components and parts as below:</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFzsd5sbLLn-EZ0YV2PXVWjvu5qPsJfHID_WUgAf2Jq5mJlp_qtCmCravq-wcPCdbfJ2lq0RbKn9oP2zxJwwJuTTP-xcyLM1iFXHTKxP47pqfpyrKYtg53EZojUGQmFX4BrKau_EgkGfY/s1600/Screen+Shot+2013-05-23+at+13.02.36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFzsd5sbLLn-EZ0YV2PXVWjvu5qPsJfHID_WUgAf2Jq5mJlp_qtCmCravq-wcPCdbfJ2lq0RbKn9oP2zxJwwJuTTP-xcyLM1iFXHTKxP47pqfpyrKYtg53EZojUGQmFX4BrKau_EgkGfY/s320/Screen+Shot+2013-05-23+at+13.02.36.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
I dropped a message to the supplier I had been using and asked them if they could supply 1 x all of the 23 items listed. Sure, they would go away and find out what was required. 24hrs later they came back with a list and a price for all the items, "how many did I want?". I have to stress, I just wanted to do this as an experiment, this wasn't designed to make me any money, in fact it made me a loss, I could buy a 2nd hand iPhone from ebay a lot cheaper. I wanted to know if I could find all the parts, could I actually build my own iPhone, thats what we used to do with PCs right?!?!</div>
<div class="" style="clear: both; text-align: left;">
<br />
I ordered the items I needed and 4-5 days later a courrier dropped the package to my door with all the items.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
Now this wasn't exactly the unboxing experience you get when you purchase a nice new phone, I should have probably made a video of it and posted that up but I only took some pictures, here is what I got.</div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
A dirty old cardboard box with bits in...</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7DlpOqrnr13ZgGWKpr3g86rhAprizvh1cYHCGUvuJDgkNbDHUHVEaGqYaagXF9W968cHIylD05Sq_04xheIwA-bgVCzpZHNOWiz6gwZeoyX2XZzgOglA11z6v3gXjulia9HKjYlM0Jt4/s1600/IMG_3340.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7DlpOqrnr13ZgGWKpr3g86rhAprizvh1cYHCGUvuJDgkNbDHUHVEaGqYaagXF9W968cHIylD05Sq_04xheIwA-bgVCzpZHNOWiz6gwZeoyX2XZzgOglA11z6v3gXjulia9HKjYlM0Jt4/s400/IMG_3340.jpg" width="300" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqvYEYxnyJ8TTi9CHKzHkzPYPIpN2JU8z9JKLFsq8Yfkweg_rdN47ljfPn41ziLSh-Rf9Zg0f5PVnsZ8pbIbwHBy_4I_orGs1QqwNA3-2GlL0yTAT8z1W1Ok-A2MASgakhyr4kJr4WTJc/s1600/IMG_3339.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: left;"></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Here are the main parts, Front screen, back glass, Logic Board, and Main frame. Attached to the main frame was the volume buttons, mute switch, front camera, back camera, ear speaker, loud speaker, dock / charging point. These were already wired up for me, I hadn't asked for this as I wanted to do it myself but it seems they had tried to be extra helpful. :( </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPld99fO-aYDh6LKMEfWAdNQV5cunDgQlrW1_drQbFxNig3N5TN9XrUiqrweC_shl7Er1rZnn8ekJ4yETmLa7QqEunPA5nBeugEr-wz_aOIyiFULc0HfNv1q7DiLFmegsrzK_l6FStSCk/s1600/IMG_3339.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPld99fO-aYDh6LKMEfWAdNQV5cunDgQlrW1_drQbFxNig3N5TN9XrUiqrweC_shl7Er1rZnn8ekJ4yETmLa7QqEunPA5nBeugEr-wz_aOIyiFULc0HfNv1q7DiLFmegsrzK_l6FStSCk/s400/IMG_3339.jpg" width="300" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Also included was a bag of screws, of which I had a rough idea what went where but a lot of this was going to be guess work. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmzXXpp5O3NjMspDcPo58Qp4TtYgnl1hzr0G6ZVEdAZpRuXzO5fvAEx1vlE7fDddtP06TZD-o0oi82R2OJiVJ_Lu-EWZbvxbosr-SMtta2719xrRxdEgCrUgS71-PPEiZkHLABJYi2nI4/s1600/IMG_3345.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmzXXpp5O3NjMspDcPo58Qp4TtYgnl1hzr0G6ZVEdAZpRuXzO5fvAEx1vlE7fDddtP06TZD-o0oi82R2OJiVJ_Lu-EWZbvxbosr-SMtta2719xrRxdEgCrUgS71-PPEiZkHLABJYi2nI4/s400/IMG_3345.jpg" width="300" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
I had a quick look at a video from Direct Fix on<a href="http://www.youtube.com/watch?v=iNM90pb-Xwk" target="_blank"> how to change an LCD screen on the iPhone 4</a> to give me an idea of what would go where. After about an 1hr I had everything in place and it was the moment of truth... boot up.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/Zks5y1y-4OY?feature=player_embedded' frameborder='0'></iframe></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I was amazed to see the apple logo, I didn't expect this... after 30 seconds the lock screen appeared... but it was all in Chinese. I managed to guess my way round the menu with another iPhone to hand and did a factory reset, sure enough it took me to the usual start up screen and I was able to choose my language as per a factory reset. I grabbed a SIM I had an put it in, I then attached to the WiFi network and the device registered as expected without any problems. I could attach to the mobile network and use as per a normal phone. Couple of tests to check the vibrate button, volume buttons and charging all worked ok. No problems there, just make a few calls and check that was all good... </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This is where I hit problems, I could make a call and receive a call ok but didn't hear anything out of the ear speaker, and the mic didn't seem to work. Maybe I had missed something so stripped the device down and the reassembled again, same outcome no sound and no mic. I had a spare iPhone 4 so I took the logic board out of it and swapped them over, with an original Apple logic board the new parts all worked no problem. I put the new logic board back into the new device and booted up again, but this time the LCD wasn't displaying... arrgghh!! </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
After much "faffing" around stripping and assembling the two devices I came to the conclusion that the new logic board was in fact faulty so sent it back to the supplier in China. I'm guessing they may have acquired them because they are faulty or not quite up to scratch, who knows.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Once the supplier received the board back they sent to there QA team to test and check if it was faulty. I was kind of expecting the response I got back "Yeah it's all fine, no problems. Want us to send it back?" I was 100% sure it was faulty so asked them to send me a video of the part being tested and working, which they couldn't do. I have now requested a refund and after 4 weeks of hassling them everyday it looks like I might get the money back.</div>
<div style="text-align: left;">
<br />
I was hoping that if I got a replacement logic board back that worked I could check what it was talking to by firing it via burp proxy. It doesn't look like I'm going to get one back so this is canceled. </div>
<div style="text-align: left;">
<br />
My conclusion from all of this is Apple make money because they are good at this and they make great devices (IMO)! The amount of engineering that goes into getting so many small parts into a device is amazing, maximum respect to the people who do this for a living (including Samsung, BlackBerry et al).<br />
<br />
It is possible to assemble a device from parts imported from a shady Chinese supplier but it's really not worth the time, effort and chances are they will be 2nd rate parts. If you are struggling to find the money to buy one, check <a href="http://www.ebay.co.uk/sch/i.html?_odkw=iphone+4&_osacat=15032&_trksid=p2045573.m570.l1311.R1.TR6.TRC0&_nkw=iphone+4+damaged&_sacat=15032&_from=R40" target="_blank">ebay for a damaged device </a>and replace the bits that are damaged.<br />
<br />
Now I have a few spare devices I would love to try and do some "chip off" type forensics... I am expecting a lot of collateral damage doing that and at the moment have no idea where to start!</div>
<br />isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0tag:blogger.com,1999:blog-3167755028408409431.post-76635592577150113442013-06-14T21:03:00.001+01:002013-07-22T08:00:14.456+01:00Defeating "simple" jailbreak detection with theos...More and more developers are starting to build Jailbreak detection into their apps. A Jailbroken device is classed by many (especially MDM vendors) as compromised. I think this is a fair approach to take, many corporates don't want the risk of devices with un-verified software running on their network.<br />
<br />
The problem with jailbreak detection is it can always be defeated. Due to the nature of Objective C it will always be possible to locate the method that is performing the detection and hook it so that it responds in the manner the original developer didn't intend.<br />
<br />
When I first started to look at this I wasn't aware of <a href="http://theiphonewiki.com/wiki/XCon" target="_blank">xCon</a>, if you are not interested in how to defeat simple jailbreak detection and just want to get round some non trivial Jailbreak detection in an app grab it from Cydia. The guys have done a good job to cover a lot of apps and for most it works well. You will probably find that it works on some apps that aren't listed too.<br />
<br />
The process for patching out Jailbreak detection is something like this:<br />
<ol>
<li>Decrypt application</li>
<li>Copy to your mac</li>
<li>Dump classes using class-dump-z</li>
<li>Find class that checks for jailbreak detection</li>
<li>Create a patch with theos to hook it.</li>
<li>Install & re run application.</li>
</ol>
<div>
For this you will need:<br />
<ol>
<li>An Jailbroken iOS device with mobile substrate installed</li>
<li>A mac with Theos installed</li>
</ol>
<br />
Here it is in a bit more detail....</div>
<div>
<br /></div>
<b><u>Step 1 - Decrypt application </u></b><br />
There is a long way to decrypt iPhone applications and a quick way. <a href="http://lightbulbone.com/post/27887705317/reversing-ios-applications-part-1" target="_blank">LightBulbOne's blog</a> is a good read and has details on what to do if you want to try the longer way. I prefer the quick way (some might say lazy) using tools. The best tool I have found so far is clutch. Having done it the long way I would suggest you use clutch! You can find clutch out on the internets and on some Cydia repos, it's commonly used by "Crackers" to pirate apps so sometimes goes missing or gets taken down.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigeunXYEniBy5ySNaiG7PvsCDZhnijcsb8SEbpIRBlT3KDRBQ4zfEigbdsu4cusLYCB3IoKZuMkmM6bn4sdF7zb8brbcxUaBMnmDwXsP1fa1hgRgNFYinop7jJXYNclsDGDiAB0uBWbvk/s1600/Screen+Shot+2013-06-14+at+14.54.59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigeunXYEniBy5ySNaiG7PvsCDZhnijcsb8SEbpIRBlT3KDRBQ4zfEigbdsu4cusLYCB3IoKZuMkmM6bn4sdF7zb8brbcxUaBMnmDwXsP1fa1hgRgNFYinop7jJXYNclsDGDiAB0uBWbvk/s400/Screen+Shot+2013-06-14+at+14.54.59.png" width="400" /></a></div>
<br />
To use clutch simply type the following at a shell prompt.<br />
<br />
<b><span style="color: lime;"> # ./clutch "name of your app"</span></b><br />
<br />
Clutch will then automagically create an .ipa file of your application which you can then extract the decrypted binary from.<br />
<br />
<b><u>Step 2 - Copy the .ipa to your laptop and extract</u></b><br />
This is a pretty straight forward step, just use Cyberduck or SCP to copy the .ipa to a folder or location on your laptop you can easily access. Using your favourite unarchiver extract the contents of the .ipa to a folder. I just use unzip from a cmd line.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmQObWC5xtko-t_ugVQoQVAk_pIvEjYm0fd6wjBmXlS0EfMqT_c4lcTZF3weKj3L9IBla3313-8KdG3kKhF7wehWZCQ6Sf1riger_2v4NW0aWPllqUEX1xNwOX8_vhkN8C2R4Y5MJ5YdU/s1600/Screen+Shot+2013-06-14+at+15.27.26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmQObWC5xtko-t_ugVQoQVAk_pIvEjYm0fd6wjBmXlS0EfMqT_c4lcTZF3weKj3L9IBla3313-8KdG3kKhF7wehWZCQ6Sf1riger_2v4NW0aWPllqUEX1xNwOX8_vhkN8C2R4Y5MJ5YdU/s400/Screen+Shot+2013-06-14+at+15.27.26.png" width="400" /></a></div>
<br />
<b><u>Step 3 - Dump the class info</u></b><br />
There is a great tool called class-dump-z that if you have looked at reversing iOS apps before you will be well aware of. You will need to grab it from <a href="https://code.google.com/p/networkpx/wiki/class_dump_z" target="_blank">here</a>.<br />
<br />
Once you have got class-dump-z you will need to run it against the application binary that can be found in the directory .../Payload/<nameofapp>.app/ . Usually the executeable will match the name of the application. To dump the class run the following command:<br />
<br />
<b><span style="color: lime;"> # class-dump-z Payload/DME\ 4.app/DME\ 4 > dump.txt</span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilthU8-ahT2AaAxo8OHLVlJGMnbPV_dPNMAtCGLGk5UkVCqJUSmIO-jROsmRKMXMSu0givcNiMd5jYXcJj85d7QrGx9ExoCqm2ar2pMJNdSc_AA3ktrrqN3v9jnG_E_zMGQRIuoi21OGg/s1600/Screen+Shot+2013-06-14+at+15.36.57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="33" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilthU8-ahT2AaAxo8OHLVlJGMnbPV_dPNMAtCGLGk5UkVCqJUSmIO-jROsmRKMXMSu0givcNiMd5jYXcJj85d7QrGx9ExoCqm2ar2pMJNdSc_AA3ktrrqN3v9jnG_E_zMGQRIuoi21OGg/s400/Screen+Shot+2013-06-14+at+15.36.57.png" width="400" /></a></div>
<br />
<br />
<b><u>Step 4 - Locate method performing Jailbreak Detection</u></b><br />
Next, open up the dump.txt file you just created using textpad or another editor. I have been using <a href="http://www.sublimetext.com/" target="_blank">sublime</a> recently and love it as you can set the language and get some colour coding to help you. Next look through the file or search for anything with "jail", "break" or "detection" in.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT2GmLg0zNvp91-zbkInh61Pl3qJDA3GVPbFxU742Llg0UBwcI21zzsEpm5e-gkXFvBE_Hl9LsSZlEBG7Gln1bdxL0jHeqvx6tFayoeXPB7KOEF0ucf5cSvaf1rGZ7CZWqsYgjaYkkqt4/s1600/Screen+Shot+2013-06-14+at+15.41.35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT2GmLg0zNvp91-zbkInh61Pl3qJDA3GVPbFxU742Llg0UBwcI21zzsEpm5e-gkXFvBE_Hl9LsSZlEBG7Gln1bdxL0jHeqvx6tFayoeXPB7KOEF0ucf5cSvaf1rGZ7CZWqsYgjaYkkqt4/s400/Screen+Shot+2013-06-14+at+15.41.35.png" width="400" /></a></div>
<br />
Here we can see a class "<b><span style="color: cyan;">DMEDevice</span>"</b> that has a method of type <b><span style="color: cyan;">BOOL</span></b> called "<b><span style="color: cyan;">isJailBroken</span>"</b>. Now we can assume as this is a BOOL type that it is going to either return false or true. If we can hook this method and force it to always return false then we can probably evade the jail break detection.<br />
<br />
<b><u>Step 5 - Hooking with Theos</u></b><br />
Theos is a tool created by <a href="https://twitter.com/DHowett" target="_blank">Dusten Howett</a> and is used for jailbreak development to create .deb packages and install them on to your device there are some good articles and Wikis on installing theos check out the links below if you haven't got it installed already:<br />
<br />
<a href="http://iphonedevwiki.net/index.php/Theos">http://iphonedevwiki.net/index.php/Theos</a><br />
<a href="http://iphonedevwiki.net/index.php/Theos/Getting_Started">http://iphonedevwiki.net/index.php/Theos/Getting_Started</a><br />
<a href="http://brandontreb.com/beginning-jailbroken-ios-development-your-first-tweak">http://brandontreb.com/beginning-jailbroken-ios-development-your-first-tweak</a><br />
<br />
Once you have got theos installed you will need to create a new instance to do this use the (nic.pl script) following:<br />
<br />
<b><span style="color: lime;"> # $THEOS/bin/nic.pl</span></b><br />
<br />
This will launch the menu, select option 5 "Tweak" and then fill in the relvant details.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU9aJzyDd46kdOUYVzJ8xQ8a8kCmaYoWqgNKkFIQBAI9jxEwAFsFuUJoplyMb4WHdq0YCdZqYGEzrWshq3G6jqzoA8mS3K8LONoF5iVkw9TnC3UjkdYQZWMY8nVeQEJKr35ucDCxPQgSY/s1600/Screen+Shot+2013-06-14+at+16.33.12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhU9aJzyDd46kdOUYVzJ8xQ8a8kCmaYoWqgNKkFIQBAI9jxEwAFsFuUJoplyMb4WHdq0YCdZqYGEzrWshq3G6jqzoA8mS3K8LONoF5iVkw9TnC3UjkdYQZWMY8nVeQEJKr35ucDCxPQgSY/s400/Screen+Shot+2013-06-14+at+16.33.12.png" width="400" /></a></div>
<br />
The most important one to get right is the "MobileSubstrate Bundle filter". This tells your newly created tweak the application it needs to hook. If you don't know this you will be able to locate it in the file:<br />
<br />
/var/mobile/Library/Caches/com.apple.mobile.installation.plist<br />
<br />
It's a binary plist so you will need to use <a href="http://ericasadun.com/ftp/EricaUtilities/" target="_blank">plutil</a> that comes with com.ericasadun.utilities and downloadable from cydia. Simply type the following and then look for the "MobileSubstrate Bundle filter".<br />
<b><span style="color: lime;"><br /></span></b>
<b><span style="color: lime;"># plutil /var/mobile/Library/Caches/com.apple.mobile.installation.plist | grep "CFBundleName" -B1 | grep <App Name> -B1</span></b><br />
<br />
Where <App Name> is the name of the application your are looking for.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxapApiEjn42dHObvF1_Bwp_F87oRiJ6IRtAi4MqrBJzTTwF_6n6y6YYp3m_cZU469xSHMfn-cSXJ419ej-E-JhfOjQNDBLSLf70HRH_QkiTZ2dDOY_j0USPbmdTynjBeNqPpDKY-lu7M/s1600/Screen+Shot+2013-06-14+at+19.46.25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxapApiEjn42dHObvF1_Bwp_F87oRiJ6IRtAi4MqrBJzTTwF_6n6y6YYp3m_cZU469xSHMfn-cSXJ419ej-E-JhfOjQNDBLSLf70HRH_QkiTZ2dDOY_j0USPbmdTynjBeNqPpDKY-lu7M/s400/Screen+Shot+2013-06-14+at+19.46.25.png" width="400" /></a></div>
<br />
<br />
Next you will need to add the required code into the file Tweak.xm file in your project directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Fqk-jWHrGmONrZj9ktSyeXwgh_XfOr2F6q_0RSrcmgv_1l0_A3sLcXEdSKUqGJPgBowauKJfhEXDB_Lho74Zb0yyF-03_sG5cuZrLbG_EGbOzx8oAS9yxHbTqpjJgC4jE9hLABbq4Uo/s1600/Screen+Shot+2013-06-14+at+20.00.02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Fqk-jWHrGmONrZj9ktSyeXwgh_XfOr2F6q_0RSrcmgv_1l0_A3sLcXEdSKUqGJPgBowauKJfhEXDB_Lho74Zb0yyF-03_sG5cuZrLbG_EGbOzx8oAS9yxHbTqpjJgC4jE9hLABbq4Uo/s320/Screen+Shot+2013-06-14+at+20.00.02.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
Using your favoured editor open Tweak.xm and remove all the example code that is in the file. Next add the following:<br />
<br />
<b><span style="color: lime;">%hook </span><span style="color: red;"><Name of Class></span></b><br />
<b><span style="color: lime;">+(BOOL)</span><span style="color: red;"><Name of Method></span><span style="color: lime;"> { </span></b><br />
<b style="color: lime;"> </b><i><span style="color: yellow;"> // Call the original method </span></i><br />
<b><span style="color: lime;"> <span class="Apple-tab-span" style="white-space: pre;"> </span>%orig;</span></b><br />
<br />
<span class="Apple-tab-span" style="color: lime; font-weight: bold; white-space: pre;"> </span><i><span style="color: yellow;">//Pop up an alert to show you got hooked, this is just for debug, you don't really need it</span></i><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"isa56k pwning..." </span></b><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>message:@"No Jailbreaks Here" </span></b><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>delegate:nil </span></b><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>cancelButtonTitle:@"Bye Bye" </span></b><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>otherButtonTitles:nil];</span></b><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>[alert show];</span></b><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>[alert release];</span></b><br />
<span style="color: yellow;"><i> // The most important bit, return false and lie about the jailbreak status!!</i></span><br />
<b><span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>return false;</span></b><br />
<br />
<b><span style="color: lime;">}</span></b><br />
<b><span style="color: lime;">%end</span></b><br />
<br />
The items in <span style="color: red; font-weight: bold;">RED </span>above need to match up with your application. This is what my Tweak.xm looks like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuHdS7gjNDlgDkfUJlzxHWmrlPaxxxi6hEut-aTh97zKtBq_yLXAixD2x0BxUuAOPmIMNx87IccIipy243OSoClD02WEhGJL3mR9ffwJvT4vqRo8VuNwUYneZFcp4YqaSe3IO6TQk6HFM/s1600/Screen+Shot+2013-06-14+at+20.14.51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuHdS7gjNDlgDkfUJlzxHWmrlPaxxxi6hEut-aTh97zKtBq_yLXAixD2x0BxUuAOPmIMNx87IccIipy243OSoClD02WEhGJL3mR9ffwJvT4vqRo8VuNwUYneZFcp4YqaSe3IO6TQk6HFM/s400/Screen+Shot+2013-06-14+at+20.14.51.png" width="400" /></a></div>
<br />
The most important part of the tweak is the really the final line of code in the function "return false". Every time that [DMEDevice isJailbroken] is now called in the application it will be replaced with our patch / tweak fooling the app telling it that it is not Jailbroken.<br />
<br />
I have included a UI Alert so that we know our patch is being run, without this it can be difficult to tell that it has actually been called. You could remove this code once you are happy your tweak is working.<br />
<br />
As we are using UIAlertView for a bit of debug we need to also include UIKit framework in our Makefile as well as a few other bits and pieces. Open up the Makefile in your project directory and add the following (some will already exist).<br />
<br />
<span style="color: lime;">GO_EASY_ON_ME = 1</span><br />
<span style="color: yellow;">#The ip of your device that you will install the tweak on</span><br />
<span style="color: lime;">export THEOS_DEVICE_IP=</span><span style="color: red;"><YOUR DEVICE IP></span><br />
<span style="color: yellow;">#The architecture you wish to compile for</span><br />
<span style="color: lime;">export ARCHS=armv7 </span><br />
<span style="color: lime;">export TARGET=iphone:latest:4.3</span><br />
<span style="color: lime;">export SDKVERSION = 6.1</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">include theos/makefiles/common.mk</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">TWEAK_NAME = isnotjailbroken</span><br />
<span style="color: lime;">isnotjailbroken_FILES = Tweak.xm</span><br />
<span style="color: yellow;"># Add this line in so that the UIKit framework is included</span><br />
<span style="color: lime;">isnotjailbroken_FRAMEWORKS = UIKit</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">include $(THEOS_MAKE_PATH)/tweak.mk</span><br />
<br />
It's worth noting that when adding in a framework the tweakname must match as below in <span style="color: red;">red</span>:<br />
<br />
<span style="color: lime;">TWEAK_NAME = </span><span style="color: red;">isnotjailbroken</span><br />
<span style="color: red;">isnotjailbroken</span><span style="color: lime;">_FILES = Tweak.xm</span><br />
<span style="color: yellow;"># Add this line in so that the UIKit framework is included</span><br />
<span style="color: red;">isnotjailbroken</span><span style="color: lime;">_FRAMEWORKS = UIKit</span><br />
<br />
It took me ages to spot isnotJailbroken had an uppercase J when debugging an error!!<br />
<br />
Here is my Makefile..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB5tVRpm1WDYafDSCkgfjDxFAJ7Kk0i13OkF74cBCO1Af2Fv_vIXG_viqdN7k9wKkgpn1eAyWrI8WAyAatJhDoqgEE7ynzsYYXEnHgy8tesnyH2yUWUm9b_PBxjGCpkIjLK_YHeOrTcRI/s1600/Screen+Shot+2013-06-14+at+20.28.31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB5tVRpm1WDYafDSCkgfjDxFAJ7Kk0i13OkF74cBCO1Af2Fv_vIXG_viqdN7k9wKkgpn1eAyWrI8WAyAatJhDoqgEE7ynzsYYXEnHgy8tesnyH2yUWUm9b_PBxjGCpkIjLK_YHeOrTcRI/s400/Screen+Shot+2013-06-14+at+20.28.31.png" width="400" /></a></div>
<br />
<br />
<b><u>Step 6 - Install and Run</u></b><br />
The final step is to make, package and install the tweak on to the jailbroken device. from inside your project directory type the following:<br />
<br />
<b><span style="color: lime;"> #sudo make package install</span></b><br />
<br />
This should compile and then install the patch on your jailbroken device. I have got <a href="http://www.priyaontech.com/2012/01/ssh-into-your-jailbroken-idevice-without-a-password/" target="_blank">public key auth set up </a>on my iOS test device so that I am not prompted to enter a password, but you maybe prompted to enter your SSH password for the devices root account at this point.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKjfrNy93xuQyj2-tpFuf_B_U18oZE86DuNpI9a_YjYyIlU-Xu_QgW5Tj1fxP1EbsbS3_laxzVYFrxVahA383Z-opvVRhC8cfzgVj-onTLiEqxBXeeuH0EJi83GsxVfjwClzqQN6ZJEow/s1600/Screen+Shot+2013-06-14+at+20.41.38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKjfrNy93xuQyj2-tpFuf_B_U18oZE86DuNpI9a_YjYyIlU-Xu_QgW5Tj1fxP1EbsbS3_laxzVYFrxVahA383Z-opvVRhC8cfzgVj-onTLiEqxBXeeuH0EJi83GsxVfjwClzqQN6ZJEow/s400/Screen+Shot+2013-06-14+at+20.41.38.png" width="400" /></a></div>
<br />
Next launch the application and check that you get the alert pop up, if you do then your tweak / hook is being called :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGxclbJ0lSDAZkRsn_mulT2uxK6ww9kP_RnjVSrBh6DAlHeAjYsWMf_2ATTZh0sq0xTT6m-oFbKlHU_BIx67yuqxJ71dEHsSTdfhJsawHzHN8L0xEvH_HBZDzkSp77StgGGYdXgQzcrzY/s1600/photo.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGxclbJ0lSDAZkRsn_mulT2uxK6ww9kP_RnjVSrBh6DAlHeAjYsWMf_2ATTZh0sq0xTT6m-oFbKlHU_BIx67yuqxJ71dEHsSTdfhJsawHzHN8L0xEvH_HBZDzkSp77StgGGYdXgQzcrzY/s320/photo.PNG" width="212" /></a></div>
<br />
<br />
This is only very simple Jailbreak detection, other apps have started to mask when they are checking for jailbreak detection and exactly how they are doing it. I believe some MDM vendors regularly change the methods and the code that checks to keep hackers on their toes.isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com1tag:blogger.com,1999:blog-3167755028408409431.post-36937311918309323082013-05-29T16:47:00.000+01:002013-05-30T10:24:56.319+01:00Remote Debugging iOS using lldb...<div class="separator" style="clear: both; text-align: justify;">
As per previous post, I attended HITB 2013 Amsterdam in April. I decided to do the mobile hacking course run by Blake Turrentine from <a href="http://hotwan.com/" target="_blank">HotWan</a>, <a href="https://twitter.com/pod2g" target="_blank">@Pod2g</a> & <a href="https://twitter.com/p0sixninja" target="_blank">@P0sixninja</a>.</div>
<div class="p1">
<ul class="ul1">
</ul>
<div class="p1">
One thing I picked up from the course was the remote debugging of user land applications using lldb. In order to do this you need to have the following:</div>
<ul class="ul1">
<li class="li1">A mac with Xcode installed</li>
<li class="li1">Jailbroken Device (iOS.6.1) running ssh</li>
</ul>
Step 1 - First you need to mount the DeveloperDiskImage.dmg for 6.1. In a terminal window type the following:<br />
<ul>
<li>hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/6.1\ \(10B141\)/DeveloperDiskImage.dmg</li>
</ul>
<ol class="ol1">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggrHeXCOzbL0mgl51A1YsRqVCYIyIu8-TsoBfD_DIwIJtvRJ1E0tQSH2JaUI_vNESshSVyBU6WZb_h_U4hbIuDFaPzmQ52obMuQkedVcRHh6Ympj6rT_T9bYEup9vql7qEo_YFVgDJjmw/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggrHeXCOzbL0mgl51A1YsRqVCYIyIu8-TsoBfD_DIwIJtvRJ1E0tQSH2JaUI_vNESshSVyBU6WZb_h_U4hbIuDFaPzmQ52obMuQkedVcRHh6Ympj6rT_T9bYEup9vql7qEo_YFVgDJjmw/s400/01.png" width="400" /></a></div>
</ol>
Step 2 - Create a temporary directory on your mac and copy the debugserver to it:<br />
<ul>
<li>mkdir debug</li>
<li>cd debug</li>
<li>cp /Volumes/DeveloperDiskImage/usr/bin/debugserver . </li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNo_PSVVLFLDzp1DoWa6h-5N-p3vo34D_ieRBF2l9iBu64TJj55VxcqgR94-q4cYsc_lculREqN_levFwXKlv2tvIxVDMyI1L6GUi44lFcMP1ey4qugKCach0_eJ-vrtFAa62F6TQEBEk/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNo_PSVVLFLDzp1DoWa6h-5N-p3vo34D_ieRBF2l9iBu64TJj55VxcqgR94-q4cYsc_lculREqN_levFwXKlv2tvIxVDMyI1L6GUi44lFcMP1ey4qugKCach0_eJ-vrtFAa62F6TQEBEk/s400/02.png" width="400" /></a></div>
<div>
<br /></div>
Step 3 - Next, you need to code sign the executable using an entitlements file. To make the entitlements file do the following:<br />
<ul>
<li>nano entitlements.plist</li>
<li>copy and paste the text below into the terminal window </li>
</ul>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<a href="http://www.apple.com/DTDs/PropertyList-1.0.dtd"><span class="s1">http://www.apple.com/DTDs/PropertyList-1.0.dtd</span></a>"><br />
<plist version="1.0"> <br />
<dict> <br />
<key>com.apple.springboard.debugapplications</key> <br />
<true/> <br />
<key>run-unsigned-code</key> <br />
<true/> <br />
<key>get-task-allow</key> <br />
<true/> <br />
<key>task_for_pid-allow</key> <br />
<true/> <br />
</dict> <br />
</plist></b></span><br />
<ul>
<li>press ctrl+x to quit, then Y to save and hit return to exit nano</li>
<li>You should have something like below if you cat entitlements.plist </li>
</ul>
<ol class="ol1"><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPg60JUbXfFoDww_6Wi6wRKhvlzPvlvbuGuZ7lDLuVSgWYIuyPa2rOFmT9XyF28O-qamG5mIlazzPvLKoJHUDjQg7SZu2Vh4AJhO_xLbrQcxxLer3Rxyomw5tdPOZi9W8oCr9fVWtjGJc/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPg60JUbXfFoDww_6Wi6wRKhvlzPvlvbuGuZ7lDLuVSgWYIuyPa2rOFmT9XyF28O-qamG5mIlazzPvLKoJHUDjQg7SZu2Vh4AJhO_xLbrQcxxLer3Rxyomw5tdPOZi9W8oCr9fVWtjGJc/s400/03.png" width="400" /></a></div>
</ol>
<ul>
<li>If you don't want to make the entitlements file just download it from the link <a href="https://mega.co.nz/#!oMxHXQgS!cns_2FFjpvL50cjm2K7AeymrS8owmq8H9bn7jJocj2s" target="_blank">here</a></li>
</ul>
Step 4 - Now you need to sign the executable with the entitlements file you just created:<br />
<ul>
<li>codesign -s - --entitlements entitlements.plist -f debugserver </li>
</ul>
<ol class="ol1"><ul class="ul2">
</ul>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCcO1VC2Cpvi8aYz_WhyJzA7_ervTBbaWGU9S1o9EaxgZlisSnpzeRDbdNfuCZLoeKqkLucIGZgEKR1jVxLMT5kGqJvOkdS_dziKpMRZe0W_wZzxxSkefozJhKmW-fKuF1bqHInfuoUIY/s1600/04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCcO1VC2Cpvi8aYz_WhyJzA7_ervTBbaWGU9S1o9EaxgZlisSnpzeRDbdNfuCZLoeKqkLucIGZgEKR1jVxLMT5kGqJvOkdS_dziKpMRZe0W_wZzxxSkefozJhKmW-fKuF1bqHInfuoUIY/s400/04.png" width="400" /></a></div>
<div class="p1">
<br /></div>
Step 5 - You can unmount the developer .dmg.<br />
<ul>
<li>hdiutil detach /Volumes/DeveloperDiskImage/</li>
</ul>
<ol class="ol1"><ul class="ul2">
</ul>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_j6JmwmqT5fN-C-D6SLamhQ0MeRdyZL6bG1A3eDkYTbvTw3rQiQ7RUlHpUpquehGQJ8CvAyZWKGz_scghyQ0MCozRqdEhWYR14wahonwe2d9ahfcsxxvLJBt8UR5Nabkc84JgnohFSM0/s1600/05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="53" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_j6JmwmqT5fN-C-D6SLamhQ0MeRdyZL6bG1A3eDkYTbvTw3rQiQ7RUlHpUpquehGQJ8CvAyZWKGz_scghyQ0MCozRqdEhWYR14wahonwe2d9ahfcsxxvLJBt8UR5Nabkc84JgnohFSM0/s400/05.png" width="400" /></a></div>
<div>
<br /></div>
Step 6 - Copy the executable to the iPad (this assumes you have ssh running on the device, if you don't you need to do that first). I use usbmux to connect to my iPad via usb, but you could connect via WiFi using the IP address.<br />
<ul>
<li>Starting usbmuxd to forward local port 2222 on my mac to 22 on the remote device</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_x27_T87V2I7ux-JcM8QxyBbvgRwnRxosDVf2f9P1Q0v0On1kcu7ZXEJvLN966eDOruCaV_SNKrQVugnkmse_u1SQ-u1A3dB0R_bSkwEOdtFRG8IEOvIOAyT_TGkHbPsTE1ApyJtZYgw/s1600/06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_x27_T87V2I7ux-JcM8QxyBbvgRwnRxosDVf2f9P1Q0v0On1kcu7ZXEJvLN966eDOruCaV_SNKrQVugnkmse_u1SQ-u1A3dB0R_bSkwEOdtFRG8IEOvIOAyT_TGkHbPsTE1ApyJtZYgw/s400/06.png" width="400" /></a></div>
<ul>
<li>Use scp to copy to Device, when prompted enter the password for the root account on your Device (iPad / iPhone). You could use cyberduck or any file transfer application you have. </li>
<li>scp -P 2222 debugserver root@localhost:/var/root</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqTcrZxwq23Ga1KBUxUnfLgC6JMGB88BpcdtCs0AQXYQ4TlJ5rIo8IufyCdFV7nrzDX8wP10_Cs3-1mpa27PFBGhWFtBp67iCB3hQBTBx0UGuFhlaK96QnoJanPXQpvekYcVeO3p1vh2g/s1600/07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="57" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqTcrZxwq23Ga1KBUxUnfLgC6JMGB88BpcdtCs0AQXYQ4TlJ5rIo8IufyCdFV7nrzDX8wP10_Cs3-1mpa27PFBGhWFtBp67iCB3hQBTBx0UGuFhlaK96QnoJanPXQpvekYcVeO3p1vh2g/s400/07.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Step 7 - ssh onto the device, start the debugserver and select a port for the server to listen on:</div>
<ul>
<li>./debugserver localhost:1234 --attach=<<b>TheProcessNameYouWantToDebug</b>></li>
</ul>
If you get the error below:<br />
<br />
<span style="color: yellow;">
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>dyld: Library not loaded: /Developer/Library/PrivateFrameworks/ARMDisassembler.framework/ARMDisassembler</b><b>Referenced from: /private/var/root/./debugserver</b><b>Reason: image not found</b></span></span></div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh-0vIVcxkUMKHsHvJspw9ULOQvylARTZkRyZlkekvCDdpanI2dZAAQ5tOejp649SBPTMw6h8flEZN_V_f2OeJyNteZ-V4yyZdcZfLpwXtn7H6vfWXueOn1IvihLQuxS-yUE6P_9u1xvs/s1600/08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="31" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh-0vIVcxkUMKHsHvJspw9ULOQvylARTZkRyZlkekvCDdpanI2dZAAQ5tOejp649SBPTMw6h8flEZN_V_f2OeJyNteZ-V4yyZdcZfLpwXtn7H6vfWXueOn1IvihLQuxS-yUE6P_9u1xvs/s400/08.png" width="400" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
You need to start Xcode with the device connected via usb to your mac and navigate to Window > Organizer (or press cmd + shift + 2) then select the Devices and choose your device from the left hand side pane and ensure the device is configured for development (see apple developer documentation <a href="http://developer.apple.com/library/ios/#documentation/ToolsLanguages/Conceptual/YourFirstAppStoreSubmission/ProvisionYourDevicesforDevelopment/ProvisionYourDevicesforDevelopment.html" target="_blank">here</a>)<br />
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6vd3woNscEmyJmiCCzoApNyxqCQnwmz7r3dE-4TOsV8fxnOyPy5mNNGAxXU3TKtvd9EM_nKZ93GfgmLeb9Jzet8W2XK2DPLW-tUM9mpChxrUv9g09D3tEp0fvxkFHO5oWv-waAS-ja1o/s1600/09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6vd3woNscEmyJmiCCzoApNyxqCQnwmz7r3dE-4TOsV8fxnOyPy5mNNGAxXU3TKtvd9EM_nKZ93GfgmLeb9Jzet8W2XK2DPLW-tUM9mpChxrUv9g09D3tEp0fvxkFHO5oWv-waAS-ja1o/s400/09.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you are not enrolled in the Apple developer program and have no intention too then you can mount the "DeveloperDiskImage.dmg for 6.1" again (as per step 1) and copy the contents of /Volumes/DeveloperDiskImage/Library to the /Developer directory on the device. This worked for me before I realised you needed to enrol the device as a development device :) </div>
<div class="p1">
<br /></div>
Step 8 - If the debug server has started ok and is listening the terminal session will appear to hang as below:</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRBfplbSI4pIledgJCXf_hnRK1VXbGXQ8Ddv7SSW4rW9BzMfjmJxp7hxN2eRmqzd22RurcpSFp86W0xyQmvM3PdDFYPO24qxozBPK5__A30DaV2r5DfYYrqIlCF5BdzSNYueFOhzvUPTQ/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRBfplbSI4pIledgJCXf_hnRK1VXbGXQ8Ddv7SSW4rW9BzMfjmJxp7hxN2eRmqzd22RurcpSFp86W0xyQmvM3PdDFYPO24qxozBPK5__A30DaV2r5DfYYrqIlCF5BdzSNYueFOhzvUPTQ/s400/10.png" width="400" /></a></div>
<div class="p1">
<br /></div>
<div class="p1">
Step 9 - If you are using usbmuxd you will need to ensure the port you just set the debug server to listen on is being forwarded from your mac over usb to the remote port (if you are using IP add to connect to the device you don't need to worry about this).<br />
<ul>
<li>sudo ./Tools/iPhone/usbmuxd/usbmuxd-1.0.8/python-client/tcprelay.py -t 1234:1234</li>
</ul>
<ol class="ol1"><ul class="ul2">
</ul>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilR2rkM7y4R3NKHuwvj6wM5NCxUHQbm2O5QgAnIcpR_S_ivUhwyRT0yg1dp4n1aUr-fG-UP9lVQectzmXUleHy7q17iayWLhKpc30vH8g3x5cGz_IxYVNvo_8I2C7L9at0HuTelOXwDtE/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="18" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilR2rkM7y4R3NKHuwvj6wM5NCxUHQbm2O5QgAnIcpR_S_ivUhwyRT0yg1dp4n1aUr-fG-UP9lVQectzmXUleHy7q17iayWLhKpc30vH8g3x5cGz_IxYVNvo_8I2C7L9at0HuTelOXwDtE/s400/11.png" width="400" /></a></div>
<div>
<br /></div>
Step 10 - On your mac you can now start <b>lldb </b></div>
<div class="p1">
<ul>
<li>Type<b> <span style="font-family: Times, Times New Roman, serif;">lldb</span> </b>at a command prompt</li>
<li>Once lldb console has started type <span style="font-family: Times, Times New Roman, serif; font-weight: bold;">platform select remote-ios</span><span style="font-family: Courier New, Courier, monospace; font-weight: bold;"> </span><span style="font-family: Times, Times New Roman, serif;">and hit enter.</span></li>
</ul>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi1gwen4X3g2Yi_G8e5gLSThrCow3GG6VyqCqrdplKq969YGgPRSwUQueL_BqhaBR7HpiCvpBcAc0u_xP94W8pWyJJyjRvkUoONi7YGFxWCXTbvf65dMX6y6EE9B_gyduNogfDVPbfe5c/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi1gwen4X3g2Yi_G8e5gLSThrCow3GG6VyqCqrdplKq969YGgPRSwUQueL_BqhaBR7HpiCvpBcAc0u_xP94W8pWyJJyjRvkUoONi7YGFxWCXTbvf65dMX6y6EE9B_gyduNogfDVPbfe5c/s400/12.png" width="400" /></a></div>
<div class="p1">
<div class="p1">
<br /></div>
Step 11 - Connect to the debugserver running on the device:<br />
<ul>
<li>process connect connect://localhost:1234</li>
</ul>
<ol class="ol1"><ul class="ul2">
</ul>
</ol>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVuevMM7n4vOHZyPOnCgjatjUZk0ZSOSZn9x-eFjN1A5QFDoiMdwRhMd7Z4opsBuyt4YcUy7z9Hzs2jVQc1KBK47k86nMEPaJQGZ9QrbuCilRCnmNLuqk2UT9LzdNY3Rb9fijYq-kh114/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVuevMM7n4vOHZyPOnCgjatjUZk0ZSOSZn9x-eFjN1A5QFDoiMdwRhMd7Z4opsBuyt4YcUy7z9Hzs2jVQc1KBK47k86nMEPaJQGZ9QrbuCilRCnmNLuqk2UT9LzdNY3Rb9fijYq-kh114/s400/13.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Step 12 - You are now attached to the process and can debug using lldb commands</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>register read</li>
<li>bt</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbkyjoyQXXcY59gNO7oqXt8EVrIVHTRkzEos-7WS75Nq6HzGk9uBB4TurxKeuDK6pHgAw_uYixpMtTDLTFr6l7rJI4JyshEEXUX3H18_YcdvIhdAoqczl5wVhjfzayaq3ywIBdpNzhFHw/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbkyjoyQXXcY59gNO7oqXt8EVrIVHTRkzEos-7WS75Nq6HzGk9uBB4TurxKeuDK6pHgAw_uYixpMtTDLTFr6l7rJI4JyshEEXUX3H18_YcdvIhdAoqczl5wVhjfzayaq3ywIBdpNzhFHw/s400/14.png" width="400" /></a></div>
<div class="p1">
<br /></div>
The following link (<a href="http://lldb.llvm.org/lldb-gdb.html"><span class="s1">http://lldb.llvm.org/lldb-gdb.html</span></a>) is a gdb to lldb comparison chart that might help if you know the gdb command you want but don't know the lldb command.</div>
<div class="p1">
<br />
<div class="p1">
I need to do some more work with lldb as I have never really used it, I'm hoping this will be a useful way to look into some apps I have been wanting to reverse for a little while.<br />
<br /></div>
</div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com3tag:blogger.com,1999:blog-3167755028408409431.post-91093289196077240442013-05-22T23:10:00.000+01:002013-05-30T08:27:32.032+01:00iOS Kernel Debugging USB Cable...<div class="p1">
A month or so back I attended <a href="http://conference.hitb.org/" target="_blank">Hack In The Box </a>2013 in Amsterdam. I do a fair bit of work with mobile and have done my share of 'BYOD', 'MDM' and 'MAM' (and probably any other MxM that comes along). I decided if I was gonna take the time to attend the con it would be worth signing up for some of the training too. The obvious choice for me was Mobile Hacking II which was being run by Blake Turrentine from <a href="http://hotwan.com/" target="_blank">Hotwan</a>. He had enlisted the help of two great iOS hackers, <a href="https://twitter.com/pod2g" target="_blank">@pod2g</a> and <a href="https://twitter.com/p0sixninja" target="_blank">@p0sixninja</a>. Both have made regular contributions to iOS jailbreaking and know a lot about iOS. </div>
<div class="p2">
<br /></div>
<div class="p1">
One of the topics <a href="https://twitter.com/p0sixninja" target="_blank">@p0sixninja</a> covered was finding bugs in iBoot. To do this you need a special USB to serial 30 pin connector. This isn't new, it's an area <a href="https://twitter.com/i0n1c" target="_blank">@i0n1c</a> did a lot of the initial research on back in 2011. He also presented his findings at Blackhat (<a href="http://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf"><span class="s1">http://media.blackhat.com/bh-us-11/Esser/BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf</span></a>). He discovered that you could create a USB serial cable that would allow you to connect to the iOS kernel via KDB and debug what was going on. In order to do this you obviously need to create the USB cable, I don't have one so decided to order the parts and try to knock one up. <a href="https://twitter.com/hackerfantastic" target="_blank">@HackerFantastic</a> has a good write up over on instructables (<a href="http://www.instructables.com/id/Apple-iOS-SerialUSB-Cable-for-Kernel-Debugging/?ALLSTEPS"><span class="s1">http://www.instructables.com/id/Apple-iOS-SerialUSB-Cable-for-Kernel-Debugging/?ALLSTEPS</span></a>) that is also well worth a look.</div>
<div class="p2">
<br /></div>
<div class="p1">
Here are my instructions and what I did….</div>
<div class="p2">
<br /></div>
<div class="p1">
<span class="s2"><b><u>Ingredients</u>:</b></span></div>
<div class="p1">
You will need the following components in order to create the USB serial debugging cable.</div>
<div class="p2">
<br /></div>
<div class="p3">
<span class="s3">1 x PodGizmo (30pin) (<a href="http://proto-pic.co.uk/podbreakout/"><span class="s2">http://proto-pic.co.uk/podbreakout/</span></a>)</span></div>
<div class="p2">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCrLwOKr9sphfn_YHc6iEK6A87FTH_8dWw0_B2jRQWDSfaq_MlGDlinmu-e86yNRlJS5Zuqgm0ZiRKRWI4NYm_tFBNYLhznsj6nO5DYC7ON3V9TfCb_Ny-azE9v-hyhgCYu0ujYLab4_Y/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCrLwOKr9sphfn_YHc6iEK6A87FTH_8dWw0_B2jRQWDSfaq_MlGDlinmu-e86yNRlJS5Zuqgm0ZiRKRWI4NYm_tFBNYLhznsj6nO5DYC7ON3V9TfCb_Ny-azE9v-hyhgCYu0ujYLab4_Y/s1600/1.jpg" width="300" /></a></div>
<br />
<br />
<div class="p3">
<span class="s3">1 x FT232RL USB to Serial Breakout Board (<a href="http://proto-pic.co.uk/breakout-board-for-ft232rl-usb-to-serial/"><span class="s2">http://proto-pic.co.uk/breakout-board-for-ft232rl-usb-to-serial/</span></a>)</span></div>
<div class="p2">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuZaoGMDX9hI_BcRllHvU3GieIlObUJK130K1VDCcIP9UW3_eHg5Gyudjm73IyFTx2eSHSyW0MkuTR8vI2k49MYV1j8Z-LWwd6tk-g5QVj6-jcQbFFSUUir7a0yKfuQ58WrzxiGk7aLVw/s1600/8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuZaoGMDX9hI_BcRllHvU3GieIlObUJK130K1VDCcIP9UW3_eHg5Gyudjm73IyFTx2eSHSyW0MkuTR8vI2k49MYV1j8Z-LWwd6tk-g5QVj6-jcQbFFSUUir7a0yKfuQ58WrzxiGk7aLVw/s1600/8.jpg" width="300" /></a></div>
<div class="p2">
</div>
<div class="p2">
<br /></div>
<div class="p2">
<br /></div>
<div class="p3">
<span class="s3">1 x 470KΩ resistor (<a href="http://proto-pic.co.uk/470-ohm-1-4-watt-pth/"><span class="s2">http://proto-pic.co.uk/470-ohm-1-4-watt-pth/</span></a>)</span></div>
<div class="p2">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQqeR0dndfx2w9YzJmR3bAqIrW6aK6lmXPe-Zh_xV_Q9KOG417SGkTrg2RRdA_TRwDPapKePmwBd2iW-QsvaoRLIfpbv4bVI-3BHnrW-To9-vi4W1-i7UJKTYpkMEdrFliZfhvrGAvnoE/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQqeR0dndfx2w9YzJmR3bAqIrW6aK6lmXPe-Zh_xV_Q9KOG417SGkTrg2RRdA_TRwDPapKePmwBd2iW-QsvaoRLIfpbv4bVI-3BHnrW-To9-vi4W1-i7UJKTYpkMEdrFliZfhvrGAvnoE/s1600/4.jpg" width="300" /></a></div>
<div class="p2">
</div>
<div class="p2">
<br /></div>
<div class="p3">
<span class="s3">2 x USB Cables (A to mini B) (<a href="http://proto-pic.co.uk/sparkfun-usb-mini-b-cable-6-foot/"><span class="s2">http://proto-pic.co.uk/sparkfun-usb-mini-b-cable-6-foot/</span></a>) </span></div>
<div class="p2">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVGc5TVHFZjDrpSSGSx5USQsC0zyIZg9KrD10_S-e6iemAarCVm5LPhBnTS9k7VyZKCVcI2G2l2lF6Dwuc4hCh5RQG_FPG88RA1RwxoE-Zl8VL6Is9cU9pa-69jOx8zwwhWsPqlPu0YBY/s1600/5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVGc5TVHFZjDrpSSGSx5USQsC0zyIZg9KrD10_S-e6iemAarCVm5LPhBnTS9k7VyZKCVcI2G2l2lF6Dwuc4hCh5RQG_FPG88RA1RwxoE-Zl8VL6Is9cU9pa-69jOx8zwwhWsPqlPu0YBY/s1600/5.JPG" width="300" /></a></div>
<div class="p2">
</div>
<div class="p2">
<br /></div>
<div class="p3">
<span class="s3">Single Core Hook up Wire / Bell Wire (<a href="http://proto-pic.co.uk/hook-up-wire-assortment-solid-core/"><span class="s2">http://proto-pic.co.uk/hook-up-wire-assortment-solid-core/</span></a>) </span></div>
<div class="p2">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNfMuyM-TdPb7JfHklrp5Q3v3xeFf1-rRVOJ6khquR09ac5H-se32894g-D307scJn4HL4fmKwWGuVnXyjuJAkBQbJMYa_DFYmtf3SCXLINT9L6oEncL3CxLDRCsWDAo3brAnMK0YMQfM/s1600/6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNfMuyM-TdPb7JfHklrp5Q3v3xeFf1-rRVOJ6khquR09ac5H-se32894g-D307scJn4HL4fmKwWGuVnXyjuJAkBQbJMYa_DFYmtf3SCXLINT9L6oEncL3CxLDRCsWDAo3brAnMK0YMQfM/s1600/6.jpg" width="300" /></a></div>
<div class="p2">
</div>
<div class="p2">
<br /></div>
<div class="p1">
<span class="s2"><b><u>Utensils:</u></b></span> </div>
<div class="p1">
Wire Cutters</div>
<div class="p1">
Soldering Iron</div>
<div class="p1">
Solder</div>
<div class="p1">
3 x pairs of hands and patience (if you haven't soldered before).</div>
<div class="p2">
<br /></div>
<div class="p1">
I cocked up and didn't get the 'Single core Bell / Hook up wire'. Being a bit impatient and waiting to give this a go asap I decided to try using some dodgy old flex from a 240v lamp (see picture), my soldering skills aren't great but trying to do it this way was a nightmare. </div>
<div class="p2">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRAzZ59IWFY8OURMXdPhxShs9MoUlA9fjrhePmYPShcTpt6QQiroaox1neBm2VhsrCi1-VqwDA_x0iMDjFIYd9WC6Ww_-tR_SCiIm7HXKf_j_lGKBD8IqdhWFEKe5ykaJ0Ki4r307uwZg/s1600/7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRAzZ59IWFY8OURMXdPhxShs9MoUlA9fjrhePmYPShcTpt6QQiroaox1neBm2VhsrCi1-VqwDA_x0iMDjFIYd9WC6Ww_-tR_SCiIm7HXKf_j_lGKBD8IqdhWFEKe5ykaJ0Ki4r307uwZg/s1600/7.jpg" width="298" /></a></div>
<div class="p2">
</div>
<div class="p2">
<br /></div>
<div class="p1">
My first tip would be buy your self some hook up wire or single core bell wire. I ended up running to Maplin the next day to get some as it was turning into a train smash. This is what I purchased <a href="http://www.maplin.co.uk/solid-core-wire-1-0.6-6187"><span class="s1">http://www.maplin.co.uk/solid-core-wire-1-0.6-6187</span></a>.</div>
<div class="p2">
<br /></div>
<div class="p2">
Following the steps below you should be able to create a cable similar to the one I have:</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 1 - Cut 4 pieces of bell wire about 3 cm's in length and strip back a small amount on each end.</div>
<div class="p1">
<br /></div>
<div class="p1">
Step 2 - Tin each end of the bell wire using the soldering iron (if you haven't soldered before this might help <a href="http://www.instructables.com/id/Strip-and-Tin-Wires-Like-a-Pro/"><span class="s1">http://www.instructables.com/id/Strip-and-Tin-Wires-Like-a-Pro/</span></a>)</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 3 - Solder a piece of the bell wire to each of the GND / RX / TX / 3.3v pins on the USB to serial break out board.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBHNvH_WNtvSUMoQTsQn3ONKYy96HNBpe-8biZruWq8yOFgbQEQq737mNaDaRyoRSqqdEhpwNYjZNYOu3HaEwd_orpAZyA4w5FFhoegE6PXCNZ4cB_R1z4Pn4KKGt0sHMJ21rWd3jx8Bo/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBHNvH_WNtvSUMoQTsQn3ONKYy96HNBpe-8biZruWq8yOFgbQEQq737mNaDaRyoRSqqdEhpwNYjZNYOu3HaEwd_orpAZyA4w5FFhoegE6PXCNZ4cB_R1z4Pn4KKGt0sHMJ21rWd3jx8Bo/s1600/2.jpg" width="300" /></a></div>
<div class="p1">
</div>
<div class="p2">
</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 4 - Solder one end of the resister and the wire connected to the GND pin on the serial break out board to pin 1 on the pod break out board (In the picture below Red Cable to pin 1). This bit is a real PITA as you have to manage both the resistor and the wire whilst trying to solder.</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 5 - Solder the wire in RX pin on the USB to serial break out board to pin 12 on the pod breakout board (In the picture below Blue cable to pin 12).</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 6 - Solder the wire in TX pin on the USB to serial break out board to pin 13 on the pod breakout board (in the picture below White cable to pin 13).</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 7 - Solder the wire in 3.3v pin on the USB to serial break out board to pin18 on the pod breakout board (in the picture below Black cable to pin 18). </div>
<div class="p2">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdTT_FqJIkXCJfLOd_86WaDpPRV3Ec0xsFNsRiP_GEyzxuIghPKNwcT6vYPGRiYhT7Q4UqEzyZV-vPw7ZLy-Cg9KHfzcIn0jur8DUv8HpAfAENV9fcnEs_GVrSo13Y-JOiV0ayhyphenhyphen_GHRo/s1600/9.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdTT_FqJIkXCJfLOd_86WaDpPRV3Ec0xsFNsRiP_GEyzxuIghPKNwcT6vYPGRiYhT7Q4UqEzyZV-vPw7ZLy-Cg9KHfzcIn0jur8DUv8HpAfAENV9fcnEs_GVrSo13Y-JOiV0ayhyphenhyphen_GHRo/s1600/9.jpg" width="300" /></a></div>
<div class="p2">
</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 8 - Solder the loose end of the resistor to pin 21 on the pod break out board.</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 9 - Cut the end of a usb cable and strip back the shielding cable to show the 4 wires of the USB cable, these will likely be black, red, white and green.</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 10 - Tin the ends of each of the black, red, white and green USB wires.</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 11 - Solder the black USB cable to pin 2 on the pod break out board.</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 12 - Solder the red USB cable to pin 23 on the pod break out board.</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 13 - Solder the white USB cable to pin 25 on the pod break out board.</div>
<div class="p2">
<br /></div>
<div class="p1">
Step 14 - Solder the green USB cable to pin 27 on the pod break out board.</div>
<div class="p2">
<br /></div>
<div class="p1">
The finished iOS Kernel debugging cable should look like this (I added some cable ties to hold it together a bit).</div>
<div class="p2">
<br /></div>
<div class="p2">
<br /></div>
<div class="p2">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJOD5abYyPohqD1tHt7nW4vtPP4zWn9kDR60Ja_dVgDeW_o1WHfVuSxLUFhtLgWkCUt3Rc4HAZdp8_5uw3kt3YRFwVcYS3lsLcD1CzWZKnR0kEyiJWXEaXSWLfchN856cS-4A1jkhVpc/s1600/11.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPJOD5abYyPohqD1tHt7nW4vtPP4zWn9kDR60Ja_dVgDeW_o1WHfVuSxLUFhtLgWkCUt3Rc4HAZdp8_5uw3kt3YRFwVcYS3lsLcD1CzWZKnR0kEyiJWXEaXSWLfchN856cS-4A1jkhVpc/s1600/11.JPG" width="300" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiexO-Q6j9mW9JDGOmMTlITfseJeCXv1Ux41ikgOe2UGiy-rHgCKQf9mTdD0yx3vGZMBALcRX5FslXY-SHkZvNyRWvE9Co7YinB5e6GZI3p4kfIVfaJYIooAQ9wzuF_99Ue-Aru3xfKDa0/s1600/10.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiexO-Q6j9mW9JDGOmMTlITfseJeCXv1Ux41ikgOe2UGiy-rHgCKQf9mTdD0yx3vGZMBALcRX5FslXY-SHkZvNyRWvE9Co7YinB5e6GZI3p4kfIVfaJYIooAQ9wzuF_99Ue-Aru3xfKDa0/s1600/10.JPG" width="300" /></a></div>
</div>
<div class="p2">
<br /></div>
<div class="p2">
If you connect an iPhone or iPad (30pin connector not 5 or Mini) to the pod break out and then plug the usb cables into your mac you should see the devices under USB as below:</div>
<div class="p2">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1g8UlBDoaI-5xmi0k7-hb1L0nbtuFkadd4hzonE50JibaSJmqyAVsmR_wW0FwF-znMgn5m_7eG_ueADCW6Mjbn4zeDlmopdt6qYmGS3eWQJqnDHXOF4vKrDX28E72KY05vtrCBAVV2gY/s1600/12.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1g8UlBDoaI-5xmi0k7-hb1L0nbtuFkadd4hzonE50JibaSJmqyAVsmR_wW0FwF-znMgn5m_7eG_ueADCW6Mjbn4zeDlmopdt6qYmGS3eWQJqnDHXOF4vKrDX28E72KY05vtrCBAVV2gY/s1600/12.jpg" width="400" /></a></div>
<div class="p2">
</div>
<div class="p2">
<br /></div>
<div class="p1">
I have also tried to create a video of the first 2/3 of the process as I ran out of memory on the iPad I was recording on, and my "ginga" barnet gets in the way a lot... It doesn't include the soldering of the USB cable wires to the pod breakout board but part of the process is there. Unfortunately it's not great, my soldering skills are now marginally better than the camera skills ;-) </div>
<div class="p2">
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: center;">
<object class="BLOGGER-youtube-video" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" data-thumbnail-src="https://ytimg.googleusercontent.com/vi/_B3rdlmoNsc/0.jpg" height="266" width="320"><param name="movie" value="https://www.youtube.com/v/_B3rdlmoNsc?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" /><param name="bgcolor" value="#FFFFFF" /><param name="allowFullScreen" value="true" /><embed width="320" height="266" src="https://www.youtube.com/v/_B3rdlmoNsc?version=3&f=user_uploads&c=google-webdrive-0&app=youtube_gdata" type="application/x-shockwave-flash" allowfullscreen="true"></embed></object></div>
<br /></div>
<div class="p1">
Hopefully I'll get some time to play with iBoot and write a fuzzer for the kernel... </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com1tag:blogger.com,1999:blog-3167755028408409431.post-5747032863748254102013-05-21T16:52:00.002+01:002013-05-21T17:14:01.568+01:00AlfredApp...<br />
<div style="text-align: justify;">
Every now and then application comes along that blows my mind, it’s a killer app, I get hyped about and I can no longer live without it…</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I am a big fan of the command line and love to use the keyboard and shortcuts. If I can do it in a shortcut and a few key presses, it’s usually better than reaching for the mouse or track pad. I like working this way, it’s quick and tests my brain, sort of, it’s a bit like trying to remember the “finishing moves” mortal combat back in the 90s. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So whats this all about…. <a href="https://twitter.com/alfredapp" target="_blank">@AlfredApp</a>!! </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I installed Alfred a few months back as a demo, I read a bit of the blurb but didn’t really take it in. I played round with the fee trial and thought it was ok, it’s a bit like spotlight, why do I need another spotlight? Apple already created it, it works well helps me find stuff easily! I decided to leave Alfred where it was and not bother with it again until I read a blog post from @1Password (another killer app). It looked kind of handy that you could invoke Alfred (alt+space bar), type 1P and then the name of the page you wanted to log into and the browser would launch and log you in. I have a few home routers, a NAS and other devices with web interfaces round the house that would be really handy if I could do this for. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I decided to revisit the Alfred demo and pay more attention to it, within half an hour I was sold! I had bought the power pack and was deep under the bonnet of Alfred.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
1st stop features, using alfred features is really easy and helps you get things done quickly. Features are the built in functions of Alfred that the core developers have built in for you. You can simply invoke alfred by hitting alt + space together (or any other hot key combo you define) which launches the alfred interface. In the search bar you can then search your contacts, search the dictionary for a word you want to spell, empty the trash, launch any application or ask 1password to to open a link and inject the credentials. All really simple stuff that help you move quickly through apps.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw22U1CpA98TdHzzzCHMMAIjUirRksxVpHQQ4l2-XsnH9PDWeFIaLWqF2BUJg1H8SEHWTftV5-EEUcEbRfz9okd3RVpAw2Ij737ozcFS_dY0yeJdgM0YtksnwcVZ-jsFwawCNIvQetXEA/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjw22U1CpA98TdHzzzCHMMAIjUirRksxVpHQQ4l2-XsnH9PDWeFIaLWqF2BUJg1H8SEHWTftV5-EEUcEbRfz9okd3RVpAw2Ij737ozcFS_dY0yeJdgM0YtksnwcVZ-jsFwawCNIvQetXEA/s400/1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Some of the System features are really handy, if you are moving from windows to osx you might miss things like ctrl+alt+del to lock the screen. This has been built into features so that all you need to do is alt+space then type “lock”. Alfred locks the desktop for you.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXRzrPU4nYFAdd1HdAal7LtnIS1g-_7vkNm3df6J4l54ek4sHjm0firLzMwDBHAxLux5_SjWc8Uuvb6dBP9l5XyDJc8JJ_sEh6bn1038S72tmH4oyOH1J91sI4gOgryo_azK7tE-65hXU/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXRzrPU4nYFAdd1HdAal7LtnIS1g-_7vkNm3df6J4l54ek4sHjm0firLzMwDBHAxLux5_SjWc8Uuvb6dBP9l5XyDJc8JJ_sEh6bn1038S72tmH4oyOH1J91sI4gOgryo_azK7tE-65hXU/s400/2.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<br />
<div style="text-align: justify;">
Other system features include:</div>
<br />
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicNYMfolyexOxVc4wg_M3cDj2Jc1FArQn6ceSpgzeTNS4c497ursbYDvC1o-CaOlnayEKI2kpIMKVajwgtS1s5Jgl8n7kDSOSzX7Y3M1CLgpo8D4OUEAMUiHR5Xw5BTnJ27X_9cfo3a44/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicNYMfolyexOxVc4wg_M3cDj2Jc1FArQn6ceSpgzeTNS4c497ursbYDvC1o-CaOlnayEKI2kpIMKVajwgtS1s5Jgl8n7kDSOSzX7Y3M1CLgpo8D4OUEAMUiHR5Xw5BTnJ27X_9cfo3a44/s400/3.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: justify;">
After playing with the features I started to look at Workflows, these seemed interesting but needed a bit more thought. Within the workflows you have the ability to customise how you want alfred to behave, what you want it to launch and how you want it to search. You can pass it a search term, which in turn can call a python script and return you some data. This can be displayed in huge writing on the screen or a simple notification in the notification centre.</div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
I decided to start with a simple script. All it would do is work out my public IP and display it, nothing ground breaking but pretty handy. To do this I would call a bash script that would query checkip.dyndns.org and then display the result to the screen. </div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
First off I added a new workflow and defined a “keyword” of myip. This would in turn call a /bin/bash script that used to curl and sed to work out my address, the result of which would be pushed to the screen via the notification system, here it is: </div>
<br />
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdjR3S3wUGAhojslIAMlKMoiZiE55ck9uMJ_J9J12zKMoCBReT-7M_8u8gZaKeRZZbGoFSC94LMoujighDrlCEWwNtLkYioGORHztjp98gTNLRwJJA2cxm_YIW-3_93dr3iSfQe_qMtNM/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdjR3S3wUGAhojslIAMlKMoiZiE55ck9uMJ_J9J12zKMoCBReT-7M_8u8gZaKeRZZbGoFSC94LMoujighDrlCEWwNtLkYioGORHztjp98gTNLRwJJA2cxm_YIW-3_93dr3iSfQe_qMtNM/s400/4.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA5zaSuqLmWaG5X4nHm2N0eHup4uoVRSPffHzMurPh8aMeQ7yZMEX4P03plfDxGHNf9SBBJym7EMEYJPih9oVObzFG89Rj03hzIKjzNwKXLmL3hxfrIEKLZ3le0ue29VmB-ILID5ydbbY/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA5zaSuqLmWaG5X4nHm2N0eHup4uoVRSPffHzMurPh8aMeQ7yZMEX4P03plfDxGHNf9SBBJym7EMEYJPih9oVObzFG89Rj03hzIKjzNwKXLmL3hxfrIEKLZ3le0ue29VmB-ILID5ydbbY/s400/5.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-e5xtmo52p5USzK524QNUg50iCNQCTb3_0Ad7eY4I04kb6OOx1zt7iX1z34cj3bbrLyZD3kSFEcV_WFtF0r4PjyoR70r-5LZc4YwujtPHBqMzG1udhB9FYvuTipeboTLXhp9_fHsTYlo/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-e5xtmo52p5USzK524QNUg50iCNQCTb3_0Ad7eY4I04kb6OOx1zt7iX1z34cj3bbrLyZD3kSFEcV_WFtF0r4PjyoR70r-5LZc4YwujtPHBqMzG1udhB9FYvuTipeboTLXhp9_fHsTYlo/s400/6.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<div class="separator" style="clear: both;">
Within 10-15 mins I had created a handy little tool. </div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
If you are not of a programming background knocking some of these up might be a bit of a challenge, fear not… the internets have done the hard work. Just looking around the web and a link (see bottom of post) from <a href="https://twitter.com/_amitsbajaj" target="_blank">@_amitsbajaj </a>I have found a load of workflows that I think are awesome. Below are a few I’m using:</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<b>Currency Convertor</b> - Does what it says on the tin, you pump in the value in the currency you have and it spits out the GBP using google finance to calculate.</div>
<br />
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwrKcu8NMP8MtgHkdAD6P12u6TzxsFVmwX5DreasOpa7ygDW-Nz10D3TsWH0XG70ruyiwqCF1a7u4T8Zfz3kvPMyN8jhy3ajq1NjGJHyPs99Ts_Xh5k8Y55GCEh8MX-Zg0QkgxiIfKh1A/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwrKcu8NMP8MtgHkdAD6P12u6TzxsFVmwX5DreasOpa7ygDW-Nz10D3TsWH0XG70ruyiwqCF1a7u4T8Zfz3kvPMyN8jhy3ajq1NjGJHyPs99Ts_Xh5k8Y55GCEh8MX-Zg0QkgxiIfKh1A/s400/7.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<b>Dig</b> - Makes DNS queries quick and simple, also can handle different types of DNS queries by passing in the type at the end e.g. dig bbc.com MX would give you the MX records.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq0mJN6z_WzASHBc5PoV-x13pD71ALEg-6UwMcvymvRWUcKo7v0tDzxvdTueosGRtV112eMofzaPPHH441l-T-cb91mvo9J1eUYSzDdgfntNuAA_mOVLiXjHlSYEJgkyb-FS_vpTFHcNU/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhq0mJN6z_WzASHBc5PoV-x13pD71ALEg-6UwMcvymvRWUcKo7v0tDzxvdTueosGRtV112eMofzaPPHH441l-T-cb91mvo9J1eUYSzDdgfntNuAA_mOVLiXjHlSYEJgkyb-FS_vpTFHcNU/s400/8.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Space</b> - Quickly shows remaining disk space </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDDfJX4aGms5KDr1Uqi6YdaE33uvv6gwTNW-Yc7NNJ5VhbDJBtWbypmvwJ-OPr0nddVEMryTJCq59_02gF5iRgW9bT-o9Y8nHCMK1HVotmaNeyhBqhePa0hAGaEuP_nkcmQ4xgnd_xMgs/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDDfJX4aGms5KDr1Uqi6YdaE33uvv6gwTNW-Yc7NNJ5VhbDJBtWbypmvwJ-OPr0nddVEMryTJCq59_02gF5iRgW9bT-o9Y8nHCMK1HVotmaNeyhBqhePa0hAGaEuP_nkcmQ4xgnd_xMgs/s400/9.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<div class="separator" style="clear: both;">
<b>Skype</b> - There are a number of commands that let you instantly message your contacts or make a call.</div>
<br />
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz_Clq5AbP74r_MDpvs-Tb1CUbfr0jqKZ9olY7On7UbtW7wMKDvj33lDFESE7XyqK5MJs2rSXs8wRzrKd6so_rxQFZN9cRpYvYaxvCqCeSrWtLHyGVA_1q6MaH9quSVP8INeiacx4LdXk/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="92" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz_Clq5AbP74r_MDpvs-Tb1CUbfr0jqKZ9olY7On7UbtW7wMKDvj33lDFESE7XyqK5MJs2rSXs8wRzrKd6so_rxQFZN9cRpYvYaxvCqCeSrWtLHyGVA_1q6MaH9quSVP8INeiacx4LdXk/s400/10.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
</div>
<div class="separator" style="clear: both;">
Check out the links below for more on Alfred and workflows:</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
</div>
<div class="separator" style="clear: both;">
<a href="http://www.alfredapp.com/">http://www.alfredapp.com</a></div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
<a href="http://www.alfredworkflow.com/">http://www.alfredworkflow.com</a></div>
<div class="separator" style="clear: both;">
<br /></div>
<br />
<br />
<div style="text-align: justify;">
<br /></div>
isa56khttp://www.blogger.com/profile/09347015681937215514noreply@blogger.com0