2 fried apples: 3 jailbreak diy - black hat | home...march 28-31, 2017 o secure boot chain o...
TRANSCRIPT
![Page 1: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/1.jpg)
March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Fried Apples:
Jailbreak DIY
Alex Hude Max Bazaliy Vlad Putin
![Page 2: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/2.jpg)
March 28-31, 2017
Who we are ? 1
2
3
4
5
6
7
8
9
10
11
12
o Security research group o Focused on hardware and software exploitation o Made a various jailbreaks for iOS, tvOS, watchOS o Contributors to jailbreak community
![Page 3: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/3.jpg)
March 28-31, 2017
o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave Processor
1
2
3
4
5
6
7
8
9
10
11
12
iOS Security Overview
![Page 4: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/4.jpg)
March 28-31, 2017
o Disable OS restrictions o Gain full access to device o Install 3-rd party tools and apps o Exploit chain required
1
2
3
4
5
6
7
8
9
10
11
12
What is jailbreak ?
![Page 5: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/5.jpg)
March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Jailbreak types
o Tethered - Re-exploit device on each boot manually
o Untethered - Re-exploit device on each boot automatically
![Page 6: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/6.jpg)
March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Initial attack vector strategies
o Application archive (IPA) based o USB payload based o WebKit\SMS\baseband based
![Page 7: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/7.jpg)
March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Making jailbreak if you have bugs
o Write an exploit chain o Patch OS security restrictions o Install persistent binary o Add Cydia\ssh\remote shell
![Page 8: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/8.jpg)
March 28-31, 2017
1
2
3
4
5
6
7
8
9
10
11
12
Making jailbreak if you don't have bugs
o Write an exploit chain Use public write-ups o Patch OS security restrictions o Install persistent binary o Add Cydia\ssh\remote shell
![Page 9: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/9.jpg)
March 28-31, 2017
Implementation
1
2
3
4
5
6
7
8
9
10
11
12
![Page 10: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/10.jpg)
March 28-31, 2017
o ROP o Binary with Mach-O bug o JavaScriptCore JIT region o Sign with dev\ent certificate
Arbitrary code execution strategies 1
2
3
4
5
6
7
8
9
10
11
12
![Page 11: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/11.jpg)
March 28-31, 2017
Bypassing sandbox strategies
o TOCTOU \ Symlinks o XPC o Kernel patch
1
2
3
4
5
6
7
8
9
10
11
12
![Page 12: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/12.jpg)
March 28-31, 2017
Escalating privileges strategies
o Code injection in system service o Kernel patch
1
2
3
4
5
6
7
8
9
10
11
12
![Page 13: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/13.jpg)
March 28-31, 2017
13
14
15
16
17
18
19
20
21
22
23
24
Bypassing KASLR strategies
o Information leak o Brute force
![Page 14: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/14.jpg)
March 28-31, 2017
Bypassing DEP strategies
o JavaScriptCore JIT o Userland mmap\mprotect bug o Kernel patch o ROP chain
13
14
15
16
17
18
19
20
21
22
23
24
![Page 15: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/15.jpg)
March 28-31, 2017
Seeking for patches in kernel
o Static patchfinder (memmem) memmem string\pattern, xref + instruction analysis
o Dynamic patchfinder syscall, sysctl, mach location, known structs + emulation
13
14
15
16
17
18
19
20
21
22
23
24
![Page 16: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/16.jpg)
March 28-31, 2017
Kernel patches in detail
o root o task_for_pid(0) o amfi
o sandbox o __mac_mount o _mapForIO
13
14
15
16
17
18
19
20
21
22
23
24
![Page 17: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/17.jpg)
March 28-31, 2017
Escalate privileges
o Interesting APIs are restricted o task_for_pid, mount etc
13
14
15
16
17
18
19
20
21
22
23
24
![Page 18: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/18.jpg)
March 28-31, 2017
Escalate privileges patch
o Find setreuid o Find ruid/euid checks o Patch to skip reuid checks condition
13
14
15
16
17
18
19
20
21
22
23
24
![Page 19: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/19.jpg)
March 28-31, 2017
Escalate privileges patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
![Page 20: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/20.jpg)
March 28-31, 2017
Kernel task
o Easy access to kernel memory o Required for some kern utilities
13
14
15
16
17
18
19
20
21
22
23
24
![Page 21: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/21.jpg)
March 28-31, 2017
Kernel task patch
o Patch task_for_pid o Re-implement task_for_pid in ROP o Find kernel task in memory
13
14
15
16
17
18
19
20
21
22
23
24
![Page 22: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/22.jpg)
March 28-31, 2017
Kernel task patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
![Page 23: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/23.jpg)
March 28-31, 2017
Kernel task patch detailed 13
14
15
16
17
18
19
20
21
22
23
24
![Page 24: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/24.jpg)
March 28-31, 2017
Apple Mobile File Integrity (AMFI)
o Run unsigned code o Fake entitlements o Get other process tasks o Restrictions on mmap, mprotect etc
13
14
15
16
17
18
19
20
21
22
23
24
![Page 25: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/25.jpg)
March 28-31, 2017
AMFI patch
o Patch amfi_get_out_of_my_way o Patch PE_i_can_has_debugger o Patch amfi mac policies
25
26
27
28
29
30
31
32
33
34
35
36
![Page 26: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/26.jpg)
March 28-31, 2017
AMFI patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
![Page 27: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/27.jpg)
March 28-31, 2017
AMFI policy patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
![Page 28: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/28.jpg)
March 28-31, 2017
AMFI policy patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
![Page 29: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/29.jpg)
March 28-31, 2017
AMFI policies to patch 25
26
27
28
29
30
31
32
33
34
35
36
![Page 30: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/30.jpg)
March 28-31, 2017
Sandbox
o Access files out of mobile container o Unrestrict usage of system APIs
25
26
27
28
29
30
31
32
33
34
35
36
![Page 31: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/31.jpg)
March 28-31, 2017
Sandbox patch
o Patch sb_evaluate (allow all) o Hook sb_evaluate o Patch sandbox mac policies
25
26
27
28
29
30
31
32
33
34
35
36
![Page 32: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/32.jpg)
March 28-31, 2017
Sandbox patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
![Page 33: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/33.jpg)
March 28-31, 2017
Sandbox patch detailed 25
26
27
28
29
30
31
32
33
34
35
36
![Page 34: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/34.jpg)
March 28-31, 2017
Sandbox policies 25
26
27
28
29
30
31
32
33
34
35
36
![Page 35: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/35.jpg)
March 28-31, 2017
__mac_mount
o Remount system partition o Get write access to system partition
25
26
27
28
29
30
31
32
33
34
35
36
![Page 36: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/36.jpg)
March 28-31, 2017
__mac_mount patch
o Patch __mac_mount o Call mount_common from kernel
25
26
27
28
29
30
31
32
33
34
35
36
![Page 37: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/37.jpg)
March 28-31, 2017
__mac_mount patch detailed 37
38
39
40
41
42
43
44
45
46
47
48
![Page 38: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/38.jpg)
March 28-31, 2017
_mapForIO lock
o “/” is mounted as read only o only “/private/var” can be written
37
38
39
40
41
42
43
44
45
46
47
48
![Page 39: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/39.jpg)
March 28-31, 2017
_mapForIO lock patch
o Patch _mapForIO o Patch PE_i_can_has_kernel_configuartion
37
38
39
40
41
42
43
44
45
46
47
48
![Page 40: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/40.jpg)
March 28-31, 2017
_mapForIO lock patch detailed 37
38
39
40
41
42
43
44
45
46
47
48
![Page 41: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/41.jpg)
March 28-31, 2017
Kernel Patch Protection
37
38
39
40
41
42
43
44
45
46
47
48
![Page 42: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/42.jpg)
March 28-31, 2017
Bypassing KPP strategies
o Checks for kernel pages, MMU, sysregs o Execution on EL3 o Can’t disable, can race or …
37
38
39
40
41
42
43
44
45
46
47
48
![Page 43: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/43.jpg)
March 28-31, 2017
How KPP works? 37
38
39
40
41
42
43
44
45
46
47
48
![Page 44: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/44.jpg)
March 28-31, 2017
Original translation table 37
38
39
40
41
42
43
44
45
46
47
48
![Page 45: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/45.jpg)
March 28-31, 2017
Create fake Level 1 table 37
38
39
40
41
42
43
44
45
46
47
48
![Page 46: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/46.jpg)
March 28-31, 2017
Create fake Level 2 table 37
38
39
40
41
42
43
44
45
46
47
48
![Page 47: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/47.jpg)
March 28-31, 2017
Create fake Level 3 table 37
38
39
40
41
42
43
44
45
46
47
48
![Page 48: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/48.jpg)
March 28-31, 2017
Create fake pages 37
38
39
40
41
42
43
44
45
46
47
48
![Page 49: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/49.jpg)
March 28-31, 2017
49
50
51
52
53
54
55
56
57
58
59
60
BBQit Framework
![Page 50: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/50.jpg)
March 28-31, 2017
KPP bypass technique 49
50
51
52
53
54
55
56
57
58
59
60
![Page 51: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/51.jpg)
March 28-31, 2017
KPP bypass technique (continue) 49
50
51
52
53
54
55
56
57
58
59
60
![Page 52: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/52.jpg)
March 28-31, 2017
Achieving persistence strategies
o Find service that spawns on boot o Check if it is running as root (optional) o Find userland codesign bug o Symlink system service to exec cs bypass
49
50
51
52
53
54
55
56
57
58
59
60
![Page 53: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/53.jpg)
March 28-31, 2017
Achieving persistence example
o JavaScriptCore jsc interpreter o Signed by Apple o Can execute code on RWX segment o Copy as system service to spawn on boot
49
50
51
52
53
54
55
56
57
58
59
60
![Page 54: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/54.jpg)
March 28-31, 2017
Achieving persistence details 49
50
51
52
53
54
55
56
57
58
59
60
![Page 55: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/55.jpg)
March 28-31, 2017
SSH
o Copy dropbear or install Cydia o tcprelay.py -t 22:4222 o Password ‘alpine’
49
50
51
52
53
54
55
56
57
58
59
60
![Page 56: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/56.jpg)
March 28-31, 2017
Cydia
o Copy tar to /bin/tar o tar -xvfp cydia.tar o Optional /.cydia_no_stash o Flush uicache using /usr/bin/uicache
49
50
51
52
53
54
55
56
57
58
59
60
![Page 57: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/57.jpg)
March 28-31, 2017
o New heap layout o AMFI and Sandbox hardening o KPP enhancements
iOS 10 security enhancements
49
50
51
52
53
54
55
56
57
58
59
60
![Page 58: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/58.jpg)
March 28-31, 2017
o MISValidateSignatureAndCopyInfo Replace with CFEqual or similar will not work
o validateCodeDirectoryHashInDaemon possible race condition fixed
o Policy patches still work
iOS 10 amfi mitigations
49
50
51
52
53
54
55
56
57
58
59
60
![Page 59: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/59.jpg)
March 28-31, 2017
o New operations boot-arg-set, fs-snapshot*, system-package-check, ...
o New hooks _hook_iokit_check_nvram_get, _hook_proc_check_set_host_special_port, _hook_proc_check_get_cs_info ...
iOS 10 sandbox mitigations
49
50
51
52
53
54
55
56
57
58
59
60
![Page 60: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/60.jpg)
March 28-31, 2017
o New kernelcache layout o Now _got segments are protected o New hardware migrations on iPhone 7/Plus
iOS 10 KPP enhancements
49
50
51
52
53
54
55
56
57
58
59
60
![Page 61: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/61.jpg)
March 28-31, 2017
KPP hardware mitigations
o AMCC o Watch memory region for any access o Prevents writing inside region o Prevents exec outside region
61
62
63
64
65
66
67
68
69
70
71
72
![Page 62: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/62.jpg)
March 28-31, 2017
KPP hardware mitigations 61
62
63
64
65
66
67
68
69
70
71
72
![Page 63: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/63.jpg)
March 28-31, 2017
Future of jailbreaks
o iOS is more secure on each release o More security on hardware side o Exploits will be more valuable o But there will be bugs and write-ups
61
62
63
64
65
66
67
68
69
70
71
72
![Page 64: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/64.jpg)
March 28-31, 2017
Black Hat Sound Bytes
o Jailbreak is doable with public bug info o Patches and KPP bypass from this talk o May the XNU source be with you
61
62
63
64
65
66
67
68
69
70
71
72
![Page 65: 2 Fried Apples: 3 Jailbreak DIY - Black Hat | Home...March 28-31, 2017 o Secure Boot Chain o Mandatory Code Signing o Sandbox o Exploit Mitigations o Data Protection o Secure Enclave](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e9350be7a02407479753b24/html5/thumbnails/65.jpg)
March 28-31, 2017
@FriedAppleTeam
@mbazaliy @getorix @in7egral
61
62
63
64
65
66
67
68
69
70
71
72