Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
fuss:ios [2015/07/07 17:40] officefuss:ios [2022/08/22 11:16] (current) – [Stealing the Phone] office
Line 1: Line 1:
 +====== Disable Application Updates ======
 +
 +To prevent being spammed and nagged by application updates that you do not want:
 +
 +  - SSH to your device, as in open a Terminal and type: ssh root@IP_OF_IDEVICE and enter your password. If you have not set a password yet, the default password will be ''alpine''.
 +  - Perform the following commands to find the application directory for which you want to remove update notifications:
 +
 +<code bash>
 +cd /var/mobile/Applications && find . -name Cool*
 +</code>
 +
 +where ''Cool'' would be the first few letters of the application (the search is case-sensitive). Then, change to the application directory and move the ''iTunesMetadata.plist'' out of the way. As an example:
 +
 +<code>
 +cd /var/mobile/Applications/08392C1B-656F-46E1-9F7F-C685F9D001C0/
 +mv iTunesMetadata.plist iTunesMetadata.plist.null
 +</code>
 +
 +Done. You will not receive any more updates from AppStore for that application. To start receiving update notifications, move the file back:
 +
 +<code>
 +cd /var/mobile/Applications/08392C1B-656F-46E1-9F7F-C685F9D001C0/
 +mv iTunesMetadata.plist.null iTunesMetadata.plist
 +</code>
 +
 +====== Disable Multitasking ======
 +<WRAP important>
 +Confirmed working perfectly with iOS 4.2.1 but does not work with iOS 5.1.1. For the latest firmware versions, feel free to use a Cydia application that acheives the same effect.
 +</WRAP>
 +
 +If Apple trapped you on an iPad1, so that upgrading to their newest operating system 5.x makes you run out of RAM and you are also aware that you will be unable to update to iOS6, then you may want to consider turning off multitasking on iOS4 in order to speed it up to something useful. This will also get rid of crashes when switching applications on iOS 4.2.1. 
 +
 +Even if you leave the multitasking turned on, your applications are not running concurrently (perhaps for a few seconds before the scheduler considers them stale) and that is probably one of the reasons why applications such as Backgrounder were created in order to add multitasking. From that point of view, except the quick-switch on the bottom bar, which you could replace if you gather your applications tidily in folders, there is no reason for having the redundant switchboard. All applications that are meant to notify you of events are sending you push notifications regardless whether they are "on" or "suspended".
 +===== Nitro =====
 +
 +Multitasking in iOS is not really what you would expect. If you look at your switchboard (the one under the dock which you bring up by double pressing the home button, or with gestures in iO4.3), those applications are NOT really running. Apple introduced something called "Nitro" in iOS versions starting iOS4 (3?) which is really a **loading time** optimizer. When you press the home button (or use gestures) to "background" an application, the operating system set the application in a suspended state. If you ever owned a laptop, you may remember the "suspend" and "hibernate" features that set your laptop to **sleep**. Apple has implemented the same thing at the level of applications - for example, let us say that you could suspend a game. The game will not be running actively, but all the memory will be cached to a state-file so that when you resume the game it will start-up immediately. The same idea can be observed on Virtual Machines as snapshots.
 +
 +In practice however, Nitro does not offer performance, contrary to the misleading name - it just decreases the loading time when you have started an application, switched to a different one and then you switch back to the previous application. In fact, given low memory, Nitro chokes the memory to bits by caching state in RAM - something that you can (and should) avoid altogether.
 +
 +
 +==== Disable Multitasking for iOS4 ====
 +
 +  * You need to OpenSSH installed and nano from Cydia in order to log on to your device and edit files. 
 +  * ''cd'' to ''/System/Library/CoreServices/SpringBoard.app'' and locate your device-specific file using:
 +
 +<code bash>
 +find . -regextype egrep -regex './[A-Z1-9]+\.plist'
 +</code>
 +
 +it should show you a file that would look like:
 +
 +<code bash>
 +./K59CP.plist
 +</code>
 +
 +but with different letters. Open that file using ''nano'', by typing:
 +
 +<code bash>
 +nano /System/Library/CoreServices/SpringBoard.app/K59CP.plist
 +</code>
 +
 +and change the lines:
 +
 +<code xml>
 + <key>multitasking</key>
 + <true/>
 +</code>
 +
 +to
 +
 +<code xml>
 + <key>multitasking</key>
 + <false/>
 +</code>
 +
 +in order to disable multitasking. After that, restart your device and your switchboard will be gone.
 +
 +====== Veency with OSX ScreenSharing ======
 +
 +You can access your iDevice using the OSX ScreenSharing client by:
 +
 +  * Setting a Veency password.
 +  * Configuring the ScreenSharing client:
 +
 +{{ ios_screensharing.png |ScreenSharing settings to access iDevice}}
 +
 +Other settings are possible as well. The most important point is to set a password for Veency in order to be able to connect.
 +
 +====== Refreshing Camera Roll Photos ======
 +
 +All camera photos are available at:
 +<code>
 +/private/var/mobile/Media/DCIM/100APPLE/
 +</code>
 +
 +If you have Samba installed from Cydia, you can create a share that points directly to that folder. However they will not show up immediately in the Photos applications. You will need to wipe the cache using:
 +
 +<code bash>
 +rm -rf /private/var/mobile/Media/PhotoData/{Photos.sqlite,PhotosAux.sqlite,MISC,Caches,Thumbnails}
 +</code>
 +
 +after which Photos.app should reload all the photos stored in the camera roll.
 +
 +====== Using plutil ======
 +
 +Suppose we have the following start of a plist xml file called ''preferences.plist'':
 +<code xml>
 +<dict>
 +  <key>CurrentSet</key>
 + <string>/Sets/045489D0-E273-11E1-9D1F-63E47A24B5DC</string>
 + <key>NetworkServices</key>
 + <dict>
 + <key>0D1E9088-E273-11E1-91DB-7BC308E606D8</key>
 + <dict>
 + <key>DNS</key>
 + <dict/>
 + <key>IPSec</key>
 + <dict>
 + <key>AuthenticationMethod</key>
 + <string>SharedSecret</string>
 +
 +</code>
 +
 +And we want to obtain the ''AuthenticationMethod'' value:
 +
 +<code bash>
 +plutil -key NetworkServices -key 0D1E9088-E273-11E1-91DB-7BC308E606D8 -key IPSec -key AuthenticationMethod preferences.plist
 +</code>
 +
 +Output:
 +<code>
 +SharedSecret
 +</code>
 +
 +We can also set the key value by adding the ''-value'' keyword:
 +<code bash>
 +plutil -key NetworkServices -key 0D1E9088-E273-11E1-91DB-7BC308E606D8 -key IPSec -key AuthenticationMethod -value NoMethod preferences.plist
 +</code>
 +
 +====== Status Bar Icons ======
 +
 +Status bar icons are composed of two images, a small and a large image. The ''@2x'' must be appended to the file name indicating a larger icon:
 +
 +''Icon.png'':
 +<code>
 +PNG image, 14 x 20, 8-bit/color RGBA, non-interlaced
 +</code>
 +
 +''Icon@2x.png'':
 +<code>
 +PNG image, 27 x 40, 8-bit/color RGBA, non-interlaced
 +</code>
 +
 +====== Starting and Stopping Samba ======
 +
 +The usual way to install Samba on iOS is to get both the ''Samba Core'' and the ''Samba'' package. The latter offers a way to switch ''samba'' on and off but this can be done using ''launchd'''s ''inetd'' features. The advantage is that the ''smbd'' and ''nmbd'' processes will not be loaded permanently into memory but rather on-demand whenever the ''TCP'' ''139'' respectively UDP ''137'' port is hit. For that, we create two ''plist'' files in ''/Library/LaunchDaemons'' for ''smbd'' and ''nmbd''.
 +
 +===== smbd =====
 +
 +<file xml org.samba.smbd.plist>
 +<?xml version="1.0" encoding="UTF-8"?>
 +<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 +<plist version="1.0">
 +
 +<dict>
 +    <key>Label</key>
 +    <string>org.samba.smbd</string>
 +
 +    <key>Program</key>
 +    <string>/usr/sbin/smbd</string>
 +
 +    <key>Sockets</key>
 +    <dict>
 +        <key>Listeners</key>
 +        <dict>
 +            <key>SockProtocol</key>
 +            <string>TCP</string>
 +            <key>SockFamily</key>
 +            <string>IPv4</string>
 +            <key>SockType</key>
 +            <string>stream</string>
 +            <key>SockServiceName</key>
 +            <string>netbios-ssn</string>
 +        </dict>
 +    </dict>
 +    <key>inetdCompatibility</key>
 +    <dict>
 +      <key>Wait</key>
 +      <false/>
 +    </dict>
 +</dict>
 +
 +</plist>
 +
 +</file>
 +
 +===== nmbd =====
 +
 +<file xml org.samba.nmbd.plist>
 +<?xml version="1.0" encoding="UTF-8"?>
 +<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 +<plist version="1.0">
 +
 +<dict>
 +    <key>Label</key>
 +    <string>org.samba.nmbd</string>
 +
 +    <key>Program</key>
 +    <string>/usr/sbin/nmbd</string>
 +
 +    <key>Sockets</key>
 +    <dict>
 +        <key>Listeners</key>
 +        <dict>
 +            <key>SockProtocol</key>
 +            <string>UDP</string>
 +            <key>SockFamily</key>
 +            <string>IPv4</string>
 +            <key>SockType</key>
 +            <string>dgram</string>
 +            <key>SockServiceName</key>
 +            <string>netbios-ns</string>
 +        </dict>
 +    </dict>
 +    <key>inetdCompatibility</key>
 +    <dict>
 +      <key>Wait</key>
 +      <true/>
 +    </dict>
 +</dict>
 +
 +</plist>
 +
 +</file>
 +
 +====== Registering Services with mDNS ======
 +
 +Services such as ''ssh'', ''http'', ''smb'' can be registered so that they appear in local network browse lists. In order to do that the ''dns-sd'' command can be used to register services.
 +
 +For example, if we want to register samba so that the device shows up in the local browse lists, we add a ''plist'' at ''/System/Library/LaunchDaemons/org.grimore.smb.dns-sd.plist'' with the following contents:
 +
 +<file xml org.grimore.smb.dns-sd.plist>
 +<?xml version="1.0" encoding="UTF-8"?>
 +<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 +<plist version="1.0">
 +<dict>
 +    <key>Label</key>
 +    <string>org.grimore.smb.dns-sd</string>
 +
 +    <key>ProgramArguments</key>
 +    <array>
 +        <string>/usr/bin/dns-sd</string>
 +        <string>-R</string>
 +        <string></string>
 +        <string>_smb._tcp</string>
 +        <string>local.</string>
 +        <string>139</string>
 +    </array>
 +
 +    <key>OnDemand</key>
 +    <false/>
 +</dict>
 +</plist>
 +
 +</file>
 +
 +====== Error 9 ======
 +
 +Error 9 is a code-signing error that you may get if the binaries for a certain package have not been signed. The common symptom is that the binary just bails out with Error 9. In order to fix this one can use saurik's ''ldid'' tool:
 +
 +<code>
 +ldid -S /path/to/binary
 +</code>
 +
 +====== Recursive Sign and Exec (iosign) ======
 +
 +The following tool can be used to recursively sign binaries and turn the exec bit on bash scripts:
 +
 +<file bash iosign>
 +#!/bin/bash
 +###########################################################################
 +##  Copyright (C) Wizardry and Steamworks 2013 - License: GNU GPLv3      ##
 +##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
 +##  rights of fair usage, the disclaimer and warranty conditions.        ##
 +###########################################################################
 +
 +SILENT=0
 +if [[ $1 == "-s" ]]; then
 +  SILENT=1
 +fi
 +
 +for i in `find . -type f`; do
 +
 +  FT=`file -b $i | awk '{ print $1 }'`
 +  case $FT in
 +    Mach-O )
 +      EXE=`file -b $i | awk '{ print $2 }'`
 +      if [[ $EXE == "executable" ]]; then
 +        OP="Signed: "
 +        sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' $i
 +        ldid -S $i
 +      fi
 +      ;;
 +    Korn ) 
 +      ;&
 +    Bourne )
 +      OP="Exec: "
 +      chmod +x $i
 +      ;;
 +    * )
 +      OP=""
 +      ;;
 +  esac
 +  if ( [[ $SILENT -eq 0 ]] && [[ ! -z $OP ]] ); then
 +    echo -n $OP
 +    echo $i
 +  fi
 +done
 +
 +</file>
 +====== Offline Maps ======
 +
 +We can add a trigger to the ''/var/mobile/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb'' maps database by opening the database and executing:
 +
 +<code sql>
 +CREATE TRIGGER prevent_delete BEFORE DELETE ON images BEGIN SELECT raise(IGNORE); END
 +</code>
 +
 +which will prevent the Maps application from deleting the map tiles.
 +
 +====== Get Free Memory ======
 +
 +<code bash>
 +echo -e "\n$(top -l 1 | awk '/PhysMem/';)\n"
 +</code>
 +
 +====== Enable Multitask Gestures on iOS 4.x ======
 +
 +Edit ''System/Library/CoreServices/SpringBoard.app/K48AP.plist'' or ''/System/Library/CoreServices/SpringBoard.app/N18AP.plist'' and make sure that the following option is set, if not, add it:
 +<code xml>
 +      <key>multitasking-gestures</key>
 +      <true />
 +</code>
 +
 +Then copy the ''/var/mobile/Library/Preferences/com.apple.springboard.plist'' preference file to an OSX machine and convert it to XML:
 +<code bash>
 +plutil -convert xml1 com.apple.springboard.plist
 +</code>
 +
 +Now edit ''com.apple.springboard.plist'' and add the following option:
 +<code bash>
 +  <key>SBUseSystemGestures</key>
 +  <true/>
 +</code>
 +after:
 +<code xml>
 +  <key>SBLanguageRestart</key>
 +  <false/>
 +</code>
 +
 +and convert the plist back to binary format:
 +<code bash>
 +plutil -convert binary1 com.apple.springboard.plist
 +</code>
 +
 +Now copy the plist to your device and replace it with the old one:
 +<code bash>
 +scp com.apple.springboard.plist root@DEVICE_IP:/var/mobile/Library/Preferences/
 +</code>
 +where ''DEVICE_IP'' is the IP of your iOS device.
 +
 +After a respring your can open an app and try a four finger pinch. If the app closes, the gestures are enabled.
 +
 +====== Downgrade to iOS 4.2.x ======
 +
 +It seems that:
 +<code>
 +16fc33fee028cf71b7fd127d9fbc72b071358ab1  sn0wbreeze-v2-1.9.1.zip
 +</code>
 +is best suited for downgrades to 4.2.1. The hash should or may not perfectly match but sn0wbreeze v2 at 1.9.1 should do the trick.
 +
 +The latest version seems to make iTunes attempt to upgrade the baseband, at which point the downgrade fails with error 1105.
 +
 +====== Setting SOCKS Proxy ======
 +
 +Setting a SOCKS proxy for iOS can be done conveniently if the device is jailbroken. In the example screenshot below:
 +
 +{{fuss_ios_socksproxy.png}}
 +
 +the Wifi connection will load the ''/etc/tor/proxy.pac'' file just as any Mac. For more information on PAC / WPAD files, please see the [[networking:proxy_chaining#proxy_auto-discovery|proxy auto-discovery]] for more ideas.
 +
 +====== Illegal Instruction 4 ======
 +
 +Some old ''ARM'' v6 binaries compiled with ''gcc'' will get "Illegal instruction: 4" when executed on newer devices such as iPhone 5 or iPad 4 using the CPUs ''A6'' or ''A6X''.
 +
 +In order to avoid that, run the following command to patch the binaries before signing:
 +<code bash>
 +sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' 
 +</code>
 +
 +====== Exploiting the iPhone 13 without Unlocking via Siri ======
 +
 +iOS at version ''15.3.1'' allows Siri to be activated from the lock screen without having to unlock the phone. Siri can then be leveraged in order to perform various actions. Whilst some actions will make Siri require the user to unlock their phone, some other actions are still allowed without having to unlock the phone.
 +
 +In order to activate Siri from the lock screen, the side button can be held down for three seconds.
 +
 +Here is a list of potential attack vectors that have been discovered to be working on iOS at version ''15.3.1''.
 +
 +===== Stealing the Phone =====
 +
 +Siri can be told:
 +  * ''turn wifi off''
 +  * ''turn mobile data off''
 +
 +or, for short:
 +  * ''turn airplane mode on'' (which additionally disables any location services)
 +
 +such that the "Find My Phone" iCloud application on Apple servers at ''https://www.icloud.com/find/'' cannot find the phone anymore.
 +
 +This would allow someone that intends to steal the phone, to effectively turn off any Internet location such that the phone cannot be tracked anymore.
 +
 +===== Changing Alarms and Muting Volume =====
 +
 +Siri can be told to set an alarm for a certain point in time, ie:
 +  * ''set alarm for 2pm''
 +
 +as well as changing the volume:
 +  * ''set volume to maximum''
 +
 +directly from the lock screen without having to unlock the phone.
 +
 +Conversely:
 +  * ''mute volume''
 +
 +such that any calls or appointments will be missed.
 +
  

fuss/ios.1436290850.txt.bz2 · Last modified: 2015/07/07 17:40 by office

Access website using Tor Access website using i2p Wizardry and Steamworks PGP Key


For the contact, copyright, license, warranty and privacy terms for the usage of this website please see the contact, license, privacy, copyright.