Last week I’ve tried to figure out how cheap Chinese AV to Wi-Fi signal converter (903W) works to be able to capture streamed video in my own application. For this purpose I needed access to jailbroken iOS device to run such tools as cycript and to have ability to dump decrypted iOS application binaries with dumpdecrypted.
In most cases jailbreaking modern iOS devices is a trivial process except devices that were updated to the latest iOS version. In my specific case I had my old iPhone 5 with iOS 8.2 available for experiments, but, unfortunately, it wasn’t possible to update this device to anything but iOS 10.2.x. Jailbreak for iOS 10.2.x on iPhone 5 wasn’t available as of January 2017, so I decided to move on with already installed iOS 8.2 and try to jailbreak two-year-old OS with TaiG tool.
First of all, it should be noted that success of whole process depends on right combination of installed iTunes (Apple Mobile Device Support package on Windows) and jailbreak tool version, which, in turn, supports your iOS version. To be honest, I don’t feel myself comfortable running applications created by Chinese hackers on my work machine, that’s why I completed all steps below on my old HP XW6600 with installed Windows 7 on it. I didn’t consider virtual machine usage due to reported issues of TaiG Jailbreak Tool running on VM.
There are two jailbreak options available for iOS 8.x series from TaiG and Pangu, but only TaiG supports iOS 8.2 and available in both Windows and OS X versions. Last version of TaiG Jailbreak Tool for iOS 8.x is v2.4.5, but alas, it doesn’t work with iOS 8.2, installed on my iPhone 5. I’ve tried to run it with different iTunes versions, but had no luck. So I decided to rollback to v2.4.3 in conjunction with iTunes v22.214.171.124. Looking ahead I can say that this combination was successful and I was able to jailbreak my iPhone 5 with it.
TaiG Jailbreak Tool prevents you from running previous versions of application by checking the version of launched application with the last one available on TaiG homepage. This check is obligatory and blocking. Also it won’t allow you to run the tool when TaiG Update Check service is unavailable what happens sometimes.
So what can we undertake here? There are a lot of tools that allow us to view what requests are sent from our computer and what responses it receives. They are called packet sniffers or analyzers. Even the simplest one will cover our needs as we need to determine only URL of the Update Check request.
With help of HTTPNetworkSniffer we can figure out that TaiG Jailbreak Tool sends request to i_get_taig_pc_config.php with data GET parameter, probably, the current version signature:http://f_bb.taig.com/Interface/i_get_taig_pc_config.php?data=sU40nFL43ykkDN0HS445RDwWUi%43RPgyKpSJ21HdsDDCRyNarODu%2FHGXEE5Wxf%2FJPYlzztfTSYkw940%0D%0AdcsVU20AXAF0WQD92%2Ff9yI324FCMGEvE%3D
Now, when we know this detail, we can emulate work of Update Check logic on our local server and point TaiG Jailbreak Tool to it.
But first we need to get successful Update Check request response structure. To get it we can run the latest TaiG Jailbreak Tool v2.4.5 and capture Update Check request URL with HTTPNetworkSniffer. Putting this URL into any browser will reveal JSON response structure that application gets in case of successfully passed check:
That’s all we need to emulate Update Check service. We can skip data GET parameter analysis as our Update Check service will respond with success for all application versions.
Let’s use simple web server Mongoose to host plain text file as i_get_taig_pc_config.php. Re-create next folder structure and put successful JSON response, mentioned above, into i_get_taig_pc_config.php.
Run Mongoose with following command-line arguments:
Final step – append Windows hosts file ( C:WindowsSystem32driversetchosts) with new line to point TaiG Jailbreak Tool to our masqueraded service instead of genuine one:
Now we are ready to launch any version of TaiG Jailbreak Tool or reload already launched application by pressing Try Again button.
After approximately 15 minutes and several iPhone reboots you will get access to unrestricted iOS environment perfect for debugging and reverse engineering.
Speaking of APIs for updates check and beyond, use of secure HTTP instead of plain together with SSL pinning can make this type of attack more difficult or indeed impossible.