ED 420: Jailbreaking an iPhone with Checkra.in (15 extra)

What You Need

Purpose

To get root on an iPhone so we can install Unix utilities, compile code, and work with Arm64 exploits.

Preparing your iPhone

I strongly recommend using a "burner" phone with no personal data on it. Jailbreaking a phone voids your warranty and the changes we make may not be easily reversible.

If your phone has important data on it, at least back it up first with iCloud or iTunes.

Installing CheckRain

On your Mac, in a Web browser, go to

https://checkra.in/releases/0.9.7-beta

Download this old version of Checkra1n, as shown below. The next version is broken and won't work.

Install the Checkra1n app and launch it, as shown below.

Checking iOS Version

Connect your iPhone to your Mac with the USB cable.

If iTunes launches, close it.

Checkra1n detects your phone, as shown below.

If Checkra1n says your phone has too old an OS, as shown below, do the steps in the blue box below. If not, proceed to the next section.

Restoring and Updating your iPhone

Reboot your phone into recovery mode and restore it using Finder.

To do this on the iPhone 5S, hold down the Home button and the top button together and hold until the phone reboots. Keep holding both buttons down while the Apple logo displays, until you see the screen below.

Connect the phone to your Mac using an iPhone cable. On the Mac, open Finder (or iTunes on older MacOS versions). On the left side, click iPhone.

Agree to any prompts that appear so the devices trust one another.

Finder shows a message, as shown below.

Follow the messages to restore the iPhone to its default settings and update to iOS 12. On my phone, the steps were:

  • Check
  • Restore
  • Check
  • Restore and Update
  • Next
  • Agree
It will show this message: "...downloading the software for this iPhone..." for a while. Be patient. You can see the download progress in Activity Monitor on the Network tab--it needs to download more than 1 GB of data.

When I did it, it downloaded 1.5 GB of data, restarted the iPhone, and continued downloading more data, up to 8.45 GB.

After that the iPhone could not be activated and iTunes no longer recognized it, so I entered recovery mode again and clicked Update in iTunes.

iTunes showed "Updating iPhone Software..." and the iPhone showed an Apple logo with a slow progress bar.

The iPhone restarted again and another progress bar moved across, more quickly.

iTunes now offered to "Set up as new iPhone". I did that. I saw this screen for about 5 minutes before my phone rebooted.

Then the iPhone screen went black, so I hit the Home button and tried to start it but it would not activate.

So I unplugged it and plugged it in again. Finder then spent a few minutes waiting and showed an "Activating" message, as shown below.

Then it showed this message:

'The iPhone "iPhone" cannot be synced. The operation timed out.'

Jailbreaking your iPhone

Connect your iPhone to your Mac with the USB cable.

iTunes launches. Close it.

Checkra1n detects your phone, as shown below.

Check the "Verbose Boot" box and click Start.

The next screen explains DFU mode. Read it and click Next.

The phone shows a picture of a cable.

iTunes launches again. Close it again.

Now you need to press some buttons, guided by the Checkra1n screens. The first screen is shown below.

Follow the instructions, pressing buttons. When you get it right, the phone will reboot, with a lot of text scrolling by.

iTunes launches again. Close it again.

Checkra1n tells you it's done, as shown below.

Click the Done button.

Close Checkra1n.

Installing Cydia

Swipe up from the bottom of the screen to wake your iPhone.

Your home screen shows a "Trust This Computer?" box, as shown below.

Click Trust.

Your iPhone now has a checkra1n icon, as shown below.

Tap the checkra1n icon.

If your iPhone is offline, connect to a Wi-Fi network and relaunch checkra1n.

In the "Loader" screen, click Cydia, as shown below.

Click "Install Cydia".

Cydia now appears on your iPhone, as shown below.

Upgrading Cydia

On your iPhone, launch Cydia.

At the bottom, click Changes, as shown below.

The next screen shows three recommended upgrades, as shown below.

At the top right, click Upgrade.

click Confirm.

Click "Restart SpringBoard".

Get Homebrew

Open a Terminal and execute this command:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Connect to the iPhone With USB

Plug in a cable connecting your iPhone to the Mac.

On the Mac, in a Terminal window, execute these commands to install "libmobiledevice" and start a proxy listening on port 2222, which connects to port 44 via the USB cable.

This works because the Checkra.in jailbreak adds a service listening on port 44 for this purpose.

brew install libimobiledevice
iproxy 2222 44
Leave this window open, as shown below.

In a new Terminal window, execute this command:

ssh -p 2222 root@localhost
Agree to connect by typing yes and enter the password, which should be either alpine or notalpine for the devices provided by your instructor.

You should see a root command prompt, as shown below.

Troubleshooting

If you see a message saying

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
that probably means that a previous iPhone has been connected to this Mac. To proceed, execute this command:

nano ~/.ssh/known_hosts
Go to the bottom of the file and delete the line beginning with:

[localhost]:2222

Installing OpenSSH (Optional)

This allows you to connect over Wi-Fi, which is riskier than using a USB cable, but may be more convenient.

Launch Cydia again.

In the lower portion of your screen, click "OpenSSH Access How-To".

In the next screen, in step 1, click the blue OpenSSH link, as shown below.

On the next screen, at the top right, click OPEN, as shown below.

On the next screen, at the top right, click Install.

Click Confirm.

Click "Return to Cydia".

Finding your iPhone's IP Address

On your iPhone, open Settings.

Click Wi-Fi. On the line showing your Wi-Fi network's name and a check mark, click the blue circled i, as shown below.

Your IP address appears, as shown below.

Connecting with SSH

On your Mac, open a Terminal and execute this command, replacing the IP address with the IP address of your iPhone.

ssh root@172.20.10.3
It asks "Are you sure you want to continue connecting (yes/no)? ". Answer:

yes
Enter this password:

alpine

Changing the Root Password

Execute these commands to change the password. If you are using one of our in-class iPhones, please use the exact password shown below. Otherwise, choose any strong password you like.

passwd
notalpine
notalpine

Flag ED 420.1: uname (15 pts)

In your SSH session, execute this command.

uname
The flag is covered by a green rectangle in the image below.

References

Homebrew The missing package manager for macOS (or Linux)
SSH Over USB

Posted 12-10-19
Updated for SSH over USB 12-15-19
Updated to use older checkra1n version 2-11-2020
Checkrain url fixed 2-12-2020