Hey, there i have been working around for you guys so hard and you are,
Not even subscribing to my posts.
It hurts direct in my heart.
So,Lets start with some basics do you can understand the way i do.
Basics
As with most handheld devices,
The iPhone has a locking mechanism to protect the device’s data.
This locking mechanism can be manually invoked, but is more frequently invoked by an “Auto-Lock” feature. The “Auto-Lock” feature will wait for the phone to be idle for a user defined number of minutes before automatically invoking the locking mechanism.
When the device is in the locked and powered on state, the data on it cannot be accessed via iTunes or any other means.
Once the iPhone is in a locked state, the user must enter a pass code to access the device. This prevents against data theft in a scenario where the device is lost or stolen. The pass code is normally 4 digits long, which may be susceptible to brute force attacks given enough time and patience. There is also a delay after a certain number of incorrect attempts.
Finally, the device can wipe its memory if the lockout threshold is reached which would probably end up deterring most attackers. The locking mechanism can also be set to use a more complex password containing any combination of letters, numbers or symbols. This can be done using the iPhone Configuration Utility freely available from Apple (
http://www.apple.com/support/iphone/enterprise/).
Keychain
The Keychain The keychain is a SQLite database stored in the/private/var/Keychains/keychain-2.db file on the iPhone. It stores the passwords used on the device, including any passwords used for email accounts. As of firmware version 2.2(?), the device pass code is also stored within this keychain file.
Our Hacking Tool
is a closed-source, Windows-based tool for jail breaking the iPhone released by the iPhone Development team and poorlad.
What makes
QuickPwn unique is the method it uses to write data to the
iPhone. Normally, when an iPhone is reflashed using iTunes, all data on the device is lost.
QuickPwn uses a different method which preserves all data except the data it is explicitly told to overwrite. QuickPwn was written so iPhone owners can easily jail break their iPhone with limited technical savvy.
Bypassing the Pass code
Let’s start to put all of this information together. We know that the pass code is stored within the keychain.
If we can overwrite the keychain with one that doesn’t contain a pass code, we may be allowed to bypass the pass code protecting the device (because it doesn’t exist after we overwrite it!).
We also know that if we put the phone in DFU mode, we can overwrite data on the phone, and if we use QuickPwn, we can selectively overwrite only particular data. So, using a customized QuickPwn package, we can overwrite the keychain and effectively bypass the pass code.
Result Once we bypass the pass code, all locally stored data (photos, emails, contacts, notes, etc...) is accessible.
Remember, the keychain also stores the passwords for other applications.
This means that if we overwrite the keychain file, we will have to re-input all passwords for applications which use the keychain. During testing, I was able to access all locally stored emails (including exchange accounts, etc...),
but could not send or receive any new emails because I did not have the password stored in my keychain. As I discovered later on, it is possible to simply move the keychain then access it at a later date.
his process was detailed on
http://www.zdziarski.com/ To bypass the pass code in v2.2, all one needs to do is move the keychain out of the way, then reboot.
mv /private/var/Keychains/keychain-2.db / This preserves the suspect's keychain, resets the pass code, and also temporarily disables any account passwords from the device so that the suspect's accounts won't be accessed by the iPhone, further preserving the file system.
To restore all accounts, move the old keychain file back and reboot. You can manually remove the pass code lock from the keychain by deleting its record with sqlite3: delete from genp where acct = "DeviceLockPassword"; The process described below will only work on iPhone 3G devices. However, the process can be modified to work with other models.
NOTE : No testing was performed on firmware versions besides 2.2.1. Since firmware 2.2 was first to store the pass code in the keychain, this exact sequence will not work on previous versions. However, the previous versions can be easily changed by modifying the settings file which enables the lock functionality as described in Jonathan
Zdziarski’s webinar.
Procedure
Test Environment Testing was performed using a jail broken iPhone 3G 8GB (Phone A - which is used as our testing phone) and a stock, non-jail broken iPhone 3G 16GB (Phone B - which is our target phone). Phone B was set up with an Exchange email account, and various personal data (notes, pictures, etc.).
Additionally, Phone B was configured with a pass code. The goal of the testing was to retrieve all of this data from Phone B without knowledge of the pass code. The other hardware used was a laptop running Windows XP with iTunes 8, and an Ubuntu Linux VM.
Copying the Keychain Phone A (test phone, previously jail broken using QuickPwn) was configured with a pass code then accessed remotely via SSH. The keychain was compressed with permissions intact:
iphoneA # tar –pcvf Keychain.tar /private/var/Keychain/keychain-2.db \ /private/var/Keychain/TrustStore.sqlite3
It was then copied off of the device using WinSCP
QuickPwn version 2.2.5-2
To access the actually QuickPwn executable and data follow these steps:
1. Double click QuickPwn.exe
2. While QuickPwn.exe is running, go to Start -> Run and type %TEMP%
3. Look for the RarSFXN (where N is a number, this value changes per computer) directory or the last directory created . A look into this directory should reveal that it contains QuickPwn.exe and a number of additional files and directories. This is the QucikPwn application.
4. Copy this entire directory to a new location. In the example below, I have copied the directory to C:\RarSFX1.
5. Close the QuickPwn application.
Your directory should look similar to the screenshot below:
Modifying Cydia, Cydia is a package manager for applications written to run on jail broken iPhones.
It’s normally installed when you use QuickPwn to jail break a phone.
In order to bypass the pass code on Phone B, we’ll add the Keychain copied from Phone A and integrate it into the Cydia package.
This ensures the Keychain is installed on Phone B during the jail break process with QuickPwn.
Using our example, copy C:\RarSFX1\Data\Cydia.tar.gz and our Keychain.tar to the Ubuntu Linux VM via SCP. Decompress Cydia.tar.gz then Keychain.tar.
Then recompress the Cydia and the Keychain directory structures together into a single zipped tarball named Cydia.tar.gz. Ensure you preserve all permissions and run all commands as root.
LinuxBoxen # tar –pxvf Cydia.tar.gz LinuxBoxen # tar –pvf Keychain.tar LinuxBoxen # rm Cydia.tar.gz Keychain.tar LinuxBoxen # ls –tla private/var/Keychain/keychain-2.db -rw------- 1 64 root 28672 2009-02-04 12:51 private/var/Keychains/keychain-2.db LinuxBoxen # tar –pcvf Cydia.tar . LinuxBoxen # gzip Cyida.tar
The command on line 4 is to verify that Keychain.tar decompressed properly and the keychain-2.db file exists with proper permissions. Now use WinSCP to copy your newly created Cydia.tar.gz from the Linux VM to the Windows system and replace the
C:\RarSFX1\Data\Cydia.tar.gz
file with it.
Modifying QuickPwn Next, QuickPwn must be modified so it won’t run its checks to ensure the device is connected properly when it first launches. We do this because Phone B is locked so it will not register properly with QuickPwn.
Decompress them both, then load reflector and the Reflexil Add-On:
1. Launch Reflector, select C# from the drop down menu in the middle, then go to View -> Add-Ins
2. Click Add and select Reflexil.dll from the folder where you placed the decompressedReflexil zip.
3. Select Open then close the Add-In window
4. Next, go to File -> Open and select c:\RarSFX1\QuickPwn.exe.
5. To remove the Splash Screen: expand QuickPwn -> QuickPwn.exe -> { } QuickPwn -> frmStartup and double click "LaunchSplash(): Void".
6. Go to Tools -> Reflexil v0.9 to load the Add-In. You should see the Reflexil pane open in the right of the Reflector window
7. In the Reflexil pane on the bottom right, highlight all instructions except the last(opcode: ret). Right click and delete all the lines thus removing the splash screen display code.
8. Now for the good stuff! In the left hand pane of .Net Reflector expand QuickPwn -> QuickPwn.exe -> { } QuickPwn -> frmStartup and double click "picNext_Click(Object, EventArgs): Void". This is the function for the startup form which activated the Next button.
9. In the Reflexil pane on the bottom right, go down to instruction 09, right click -> edit and change the opcode from "brfalse.s" to "brtrue.s"
10. Finally, expand QuickPwn -> QuickPwn.exe -> { } QuickPwn -> frmFirmware and double click double click ".ctor()"
11. In the Reflexil pane on the bottom right go down to instruction 28 and change the opcode from "brfalse" to "brtrue"
12. Then, in the Reflexil pane on the bottom right go down to instruction 32 and change the opcode from "brture.s" to "brfalse.s"
13. Finally, click QuickPwn.exe from the left pane tree, and click “Save As” from the Reflexil pane on the bottom right. Save it as C:\RarSFX1\QuickPwn.Patched.exe
so, you can really make it saved.
Finishing up the Process
The last step is to jail break Phone B and overwrite its Keychain with the Keychain from Phone A.
Launch the patched QuickPwn executable (QuickPwn.Patched.exe) while ensuring no phones are connected to the Windows computer.
You’ll notice that the splash screen doesn’t start up, and the blue “Next” arrow is grayed out. Even though its grayed and looks disabled, just click on it to continue.
Follow the instructions by providing it the 2.2.1 firmware IPSW and once you get to the “Preparing to Pwn” screen (shown below) connect your passcode protected device.
Again, the Next button may not turn blue, but you should be able to click it anyway. Now follow the on-screen directions to put your phone into DFU mode.
Once the process completes and you see the Apple logo on the screen of the iPhone, disconnect the USB cable and your device should be no longer passcode protected.
I’m sure if you decided to write your own application specifically for this process you’d be able to do this a little more efficiently.
